Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gs7lQa4EuM.exe

Overview

General Information

Sample name:gs7lQa4EuM.exe
renamed because original name is a hash value
Original sample name:55e67256addca7beac549792d5cad73bd1913f283bb59c5331e399234cd82409.exe
Analysis ID:1579066
MD5:74d715684a39963b0d423a3a1c9f20d5
SHA1:68058b84381cef6ce5987014e15cf76574445390
SHA256:55e67256addca7beac549792d5cad73bd1913f283bb59c5331e399234cd82409
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gs7lQa4EuM.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\gs7lQa4EuM.exe" MD5: 74D715684A39963B0D423A3A1C9F20D5)
    • powershell.exe (PID: 3540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gs7lQa4EuM.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7756 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 2196 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 74D715684A39963B0D423A3A1C9F20D5)
  • XClient.exe (PID: 3260 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 74D715684A39963B0D423A3A1C9F20D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["environment-robots.gl.at.ply.gg:37139"], "Port": 37139, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gs7lQa4EuM.exeJoeSecurity_XWormYara detected XWormJoe Security
    gs7lQa4EuM.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      gs7lQa4EuM.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x104af:$s6: VirtualBox
      • 0x1040d:$s8: Win32_ComputerSystem
      • 0x1467b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x14718:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1482d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x129ce:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x104af:$s6: VirtualBox
          • 0x1040d:$s8: Win32_ComputerSystem
          • 0x1467b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x14718:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1482d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x129ce:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x102af:$s6: VirtualBox
            • 0x1020d:$s8: Win32_ComputerSystem
            • 0x1447b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x14518:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x1462d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x127ce:$cnc4: POST / HTTP/1.1
            00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: gs7lQa4EuM.exe PID: 6960JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.gs7lQa4EuM.exe.c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.gs7lQa4EuM.exe.c0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.gs7lQa4EuM.exe.c0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x104af:$s6: VirtualBox
                    • 0x1040d:$s8: Win32_ComputerSystem
                    • 0x1467b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x14718:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1482d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x129ce:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gs7lQa4EuM.exe", ParentImage: C:\Users\user\Desktop\gs7lQa4EuM.exe, ParentProcessId: 6960, ParentProcessName: gs7lQa4EuM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', ProcessId: 3540, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gs7lQa4EuM.exe", ParentImage: C:\Users\user\Desktop\gs7lQa4EuM.exe, ParentProcessId: 6960, ParentProcessName: gs7lQa4EuM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', ProcessId: 3540, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\gs7lQa4EuM.exe, ProcessId: 6960, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gs7lQa4EuM.exe", ParentImage: C:\Users\user\Desktop\gs7lQa4EuM.exe, ParentProcessId: 6960, ParentProcessName: gs7lQa4EuM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', ProcessId: 3540, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\gs7lQa4EuM.exe, ProcessId: 6960, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gs7lQa4EuM.exe", ParentImage: C:\Users\user\Desktop\gs7lQa4EuM.exe, ParentProcessId: 6960, ParentProcessName: gs7lQa4EuM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe', ProcessId: 3540, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: gs7lQa4EuM.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: gs7lQa4EuM.exeMalware Configuration Extractor: Xworm {"C2 url": ["environment-robots.gl.at.ply.gg:37139"], "Port": 37139, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: gs7lQa4EuM.exeReversingLabs: Detection: 78%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: gs7lQa4EuM.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: gs7lQa4EuM.exeString decryptor: environment-robots.gl.at.ply.gg:37139
                    Source: gs7lQa4EuM.exeString decryptor: 37139
                    Source: gs7lQa4EuM.exeString decryptor: <123456789>
                    Source: gs7lQa4EuM.exeString decryptor: <Xwormmm>
                    Source: gs7lQa4EuM.exeString decryptor: XWorm V5.2
                    Source: gs7lQa4EuM.exeString decryptor: USB.exe
                    Source: gs7lQa4EuM.exeString decryptor: %AppData%
                    Source: gs7lQa4EuM.exeString decryptor: XClient.exe
                    Source: gs7lQa4EuM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: gs7lQa4EuM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: environment-robots.gl.at.ply.gg:37139
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: gs7lQa4EuM.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.gs7lQa4EuM.exe.c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 00000009.00000002.1669277776.000002184185B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000003.00000002.1398854965.000001C46FC9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mMp
                    Source: powershell.exe, 00000006.00000002.1513280504.00000287B00BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000003.00000002.1398038770.000001C46FC14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                    Source: powershell.exe, 00000003.00000002.1396579927.000001C46F920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                    Source: gs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002452000.00000004.00000800.00020000.00000000.sdmp, gs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: gs7lQa4EuM.exe, XClient.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000003.00000002.1391404235.000001C467651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1493071911.00000287A7A50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1649361262.000002183928F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1398038770.000001C46FC14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.coyp
                    Source: powershell.exe, 00000003.00000002.1372795036.000001C457808000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.0000028797C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: gs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1372795036.000001C4575E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.00000287979E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.0000023800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1372795036.000001C457808000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.0000028797C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.1877733648.000002387BB9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.m.com/pkiDocsory.pc
                    Source: powershell.exe, 00000003.00000002.1372795036.000001C4575E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.00000287979E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.0000023800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1391404235.000001C467651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1493071911.00000287A7A50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1649361262.000002183928F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: gs7lQa4EuM.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.gs7lQa4EuM.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC5514E90_2_00007FFAAC5514E9
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC556E620_2_00007FFAAC556E62
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC5593290_2_00007FFAAC559329
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC551F810_2_00007FFAAC551F81
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC5560B60_2_00007FFAAC5560B6
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC551CFD0_2_00007FFAAC551CFD
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC5510E00_2_00007FFAAC5510E0
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC5510BD0_2_00007FFAAC5510BD
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC55A3BB0_2_00007FFAAC55A3BB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC6230E99_2_00007FFAAC6230E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC6130E711_2_00007FFAAC6130E7
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 15_2_00007FFAAC5414E915_2_00007FFAAC5414E9
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 15_2_00007FFAAC54107015_2_00007FFAAC541070
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 15_2_00007FFAAC541CFD15_2_00007FFAAC541CFD
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 15_2_00007FFAAC5410E015_2_00007FFAAC5410E0
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 16_2_00007FFAAC5314E916_2_00007FFAAC5314E9
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 16_2_00007FFAAC53107016_2_00007FFAAC531070
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 16_2_00007FFAAC531CFD16_2_00007FFAAC531CFD
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 16_2_00007FFAAC5310E016_2_00007FFAAC5310E0
                    Source: gs7lQa4EuM.exe, 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameccccccc.exe4 vs gs7lQa4EuM.exe
                    Source: gs7lQa4EuM.exeBinary or memory string: OriginalFilenameccccccc.exe4 vs gs7lQa4EuM.exe
                    Source: gs7lQa4EuM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: gs7lQa4EuM.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.gs7lQa4EuM.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: gs7lQa4EuM.exe, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: gs7lQa4EuM.exe, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: gs7lQa4EuM.exe, jJ0CgMM7uFvZAbj3myxJjZC2nCSCh3rAas.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, jJ0CgMM7uFvZAbj3myxJjZC2nCSCh3rAas.csCryptographic APIs: 'TransformFinalBlock'
                    Source: gs7lQa4EuM.exe, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csBase64 encoded string: 'WbB51zgIVlFeMutNqOmuosbimnBYC5M0Nn2RDCVFXNKMr4EVsblKP9ajn28Tz1JSzPms3xIZvPElBX18tSZb', 'RCGwxebjZzn8wa2dg65v668TNFhXHsNug4U4EJMJiiK67QiBlLbpZozlTPK16EtPTuL237ZAsuqdvJuobaX3', 'Mc9FadZHNiivDoREr82noGuxsRsx1Pj6iya3NuDK6YWlhNEdPI8IMJ94DXCwFQuFNjm3MQ41DkbjrBJJopdD', 'MBkvq2zEOV7xYZI74XBEIu8nt4upC1ctosyCd5297z28C8RQgavlLwgDgRYbrny5SfdM7HxQm3dcuCLen29u', 'KD7MsKfyyRUmJyc7qrWEI1PpzSmoDIoIOpqfMkM3DrfkyfUhZ0D0kCvsWOWmdakfKj3Nig0aar3Jq0CYLj7Y', 'ixMXOINlX0WNqm3Xjo2VSNRaBRM09cVFr0xyXdUVOb8WTsVD7aSiI15Sj35YvJ3ZdjAOErLSGDhWmmjsQsEz', 'O1bdAabwlwFHCLntd5AjrrFaKc10R7PfABYs6fQqs2JqFXwHCAsU7kaHAJplxVRx6JdI7iEG2rqJaMfeNzNY', 'P188HpIETExTWFbEfonh13DQuY5bsfy0shL4zTkBXte6Ov8sd9MRytY2AnjqJwNP1rw9IZ69kgZegfoEoM26'
                    Source: gs7lQa4EuM.exe, vy4Y7qijDBz7kr0T4O2YePRQAZoSC4WcBq.csBase64 encoded string: 'pHQXk1DimiQ6tve04EZUDUgWwXwNF2lXe06WGdwDwzWiXdElzbmAheUj6ocr58vMdbLpejcKk7Yleuh9ZEln', 'yvYlOyajiPVtovludUhPWCA7ONjBcwr8zliKbAt7txqmxktBoLOgZv0oSHK1K45cFtvTHVSmWbXqheOpJrPz', 'xKcotIo8WIiJTWujS8FJIPmj56IRAyHrmC3HiFYHtR1U2JhtprMrrN9X9CXNWHzRu3paO6TWzmnTjs3egL1U'
                    Source: gs7lQa4EuM.exe, fd90a9adfHr7Ksb0tsXFMke4MJw3wAPob0.csBase64 encoded string: 'GlRKHNrhGMvL7WLeBLVyf1eXHLbm53rcYMbTEX480sjabH4S2QdhFhVNi39THgo9C9JYWQglYWhHyQpSYcOX', 'hiuPcVaGd5AbiewO1zWsaXlsEBnPJzVAKskBjgzKPCsgg7kKnxBbgtD6VD2tlHZ8eWB9NbJ7NUKG8fJAm1Zj', 'MDFb0wwaOvXq0GhNVzTKfvBkffnrg16E59JSpNuA8tMtavhOgWOUjioQkYPeLDvi4aoU5f50AfIZgslNNPMn', 'nkSh1EYIMavnm3ZCY5hPIBy2ZEwcMxyiroqKG6sB7TIUSoO8bJnwHQMYIgxEtZHR7FMVNEnXN9VMDcZcgs1u', 'lzG1TTRPJMYThshucJBgk14FEijZUFvhI6j1HNLHvPfYivnvDMer3ovWS8vbpSpYhUVlDSLMvcxGNlxzgWdx', 'q8bKGKGczQ61IoNbTwsupRSw5QSmwtbHMFbbCkmEm4u8Z3sACBt8trmUhOo9TcQZntw7l7VG0SzRDE1aWPWR', 'sBKaRvoGsNfiox2cYeR6DiPfb6dkIrCSafX8ZVAZrTUTWbLOQzcnvLlyVX12C0oAEhYZX5zxgBf2Wqos1AOm', 'x39TdCdZPDrgz4XQuQ3hOfpvMygS8gnjyJ1XgbKQtiFuI0P8foXHgX7ZpEdHHB16vmvtjmP1jdO6wssOHrFk', 'gTzDu3xdfTl6PQOdJX16LbBQKTbH72JV5rzWTT7moskwTekvGzQEBIQrNGjxr7CtFv4frIf9f38Yv2sWELmv'
                    Source: XClient.exe.0.dr, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csBase64 encoded string: 'WbB51zgIVlFeMutNqOmuosbimnBYC5M0Nn2RDCVFXNKMr4EVsblKP9ajn28Tz1JSzPms3xIZvPElBX18tSZb', 'RCGwxebjZzn8wa2dg65v668TNFhXHsNug4U4EJMJiiK67QiBlLbpZozlTPK16EtPTuL237ZAsuqdvJuobaX3', 'Mc9FadZHNiivDoREr82noGuxsRsx1Pj6iya3NuDK6YWlhNEdPI8IMJ94DXCwFQuFNjm3MQ41DkbjrBJJopdD', 'MBkvq2zEOV7xYZI74XBEIu8nt4upC1ctosyCd5297z28C8RQgavlLwgDgRYbrny5SfdM7HxQm3dcuCLen29u', 'KD7MsKfyyRUmJyc7qrWEI1PpzSmoDIoIOpqfMkM3DrfkyfUhZ0D0kCvsWOWmdakfKj3Nig0aar3Jq0CYLj7Y', 'ixMXOINlX0WNqm3Xjo2VSNRaBRM09cVFr0xyXdUVOb8WTsVD7aSiI15Sj35YvJ3ZdjAOErLSGDhWmmjsQsEz', 'O1bdAabwlwFHCLntd5AjrrFaKc10R7PfABYs6fQqs2JqFXwHCAsU7kaHAJplxVRx6JdI7iEG2rqJaMfeNzNY', 'P188HpIETExTWFbEfonh13DQuY5bsfy0shL4zTkBXte6Ov8sd9MRytY2AnjqJwNP1rw9IZ69kgZegfoEoM26'
                    Source: XClient.exe.0.dr, vy4Y7qijDBz7kr0T4O2YePRQAZoSC4WcBq.csBase64 encoded string: 'pHQXk1DimiQ6tve04EZUDUgWwXwNF2lXe06WGdwDwzWiXdElzbmAheUj6ocr58vMdbLpejcKk7Yleuh9ZEln', 'yvYlOyajiPVtovludUhPWCA7ONjBcwr8zliKbAt7txqmxktBoLOgZv0oSHK1K45cFtvTHVSmWbXqheOpJrPz', 'xKcotIo8WIiJTWujS8FJIPmj56IRAyHrmC3HiFYHtR1U2JhtprMrrN9X9CXNWHzRu3paO6TWzmnTjs3egL1U'
                    Source: XClient.exe.0.dr, fd90a9adfHr7Ksb0tsXFMke4MJw3wAPob0.csBase64 encoded string: 'GlRKHNrhGMvL7WLeBLVyf1eXHLbm53rcYMbTEX480sjabH4S2QdhFhVNi39THgo9C9JYWQglYWhHyQpSYcOX', 'hiuPcVaGd5AbiewO1zWsaXlsEBnPJzVAKskBjgzKPCsgg7kKnxBbgtD6VD2tlHZ8eWB9NbJ7NUKG8fJAm1Zj', 'MDFb0wwaOvXq0GhNVzTKfvBkffnrg16E59JSpNuA8tMtavhOgWOUjioQkYPeLDvi4aoU5f50AfIZgslNNPMn', 'nkSh1EYIMavnm3ZCY5hPIBy2ZEwcMxyiroqKG6sB7TIUSoO8bJnwHQMYIgxEtZHR7FMVNEnXN9VMDcZcgs1u', 'lzG1TTRPJMYThshucJBgk14FEijZUFvhI6j1HNLHvPfYivnvDMer3ovWS8vbpSpYhUVlDSLMvcxGNlxzgWdx', 'q8bKGKGczQ61IoNbTwsupRSw5QSmwtbHMFbbCkmEm4u8Z3sACBt8trmUhOo9TcQZntw7l7VG0SzRDE1aWPWR', 'sBKaRvoGsNfiox2cYeR6DiPfb6dkIrCSafX8ZVAZrTUTWbLOQzcnvLlyVX12C0oAEhYZX5zxgBf2Wqos1AOm', 'x39TdCdZPDrgz4XQuQ3hOfpvMygS8gnjyJ1XgbKQtiFuI0P8foXHgX7ZpEdHHB16vmvtjmP1jdO6wssOHrFk', 'gTzDu3xdfTl6PQOdJX16LbBQKTbH72JV5rzWTT7moskwTekvGzQEBIQrNGjxr7CtFv4frIf9f38Yv2sWELmv'
                    Source: gs7lQa4EuM.exe, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: gs7lQa4EuM.exe, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: XClient.exe.0.dr, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: XClient.exe.0.dr, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@1/1
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeMutant created: \Sessions\1\BaseNamedObjects\9X3Wc1Y9f6fiyodi
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: gs7lQa4EuM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: gs7lQa4EuM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: gs7lQa4EuM.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile read: C:\Users\user\Desktop\gs7lQa4EuM.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\gs7lQa4EuM.exe "C:\Users\user\Desktop\gs7lQa4EuM.exe"
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gs7lQa4EuM.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gs7lQa4EuM.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: XClient.lnk.0.drLNK file: ..\..\..\..\..\XClient.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: gs7lQa4EuM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: gs7lQa4EuM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.HyS6s3sAGqbEQEwbYDfuOoUEfUbm0NgEqxo10iHwvQzcgbJJn,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.x3i8BREENa9wUctrecgzRf7tuDPeHQ72Fa3Wq7p308gP6MT9C,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.T2R062MLhoWwy1lZUAZ8zYxWfBUbXlNa6rtxghB6bBLmRKxCB,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.s0mYiwr5NqE1cgO2yVKPDEb7hKvSMoWat7mKcqFCrTmaismk6,BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.QVTKDIIoBptzTwyOl6yA4yYeGil5gyb4bP()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[2],BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.dcjeb29NPSjNLM8RHOW8aUqqYYofSFx04Y(Convert.FromBase64String(ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.HyS6s3sAGqbEQEwbYDfuOoUEfUbm0NgEqxo10iHwvQzcgbJJn,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.x3i8BREENa9wUctrecgzRf7tuDPeHQ72Fa3Wq7p308gP6MT9C,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.T2R062MLhoWwy1lZUAZ8zYxWfBUbXlNa6rtxghB6bBLmRKxCB,_76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.s0mYiwr5NqE1cgO2yVKPDEb7hKvSMoWat7mKcqFCrTmaismk6,BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.QVTKDIIoBptzTwyOl6yA4yYeGil5gyb4bP()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[2],BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.dcjeb29NPSjNLM8RHOW8aUqqYYofSFx04Y(Convert.FromBase64String(ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { ISEYEN4whbhQSnbsYEPiq3wzd02hDTfyqt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: T5r0xorAlbPnuKWeEgpBPNUM2WqhuJYsJi System.AppDomain.Load(byte[])
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: UWO8YlOc62H9R5E5Otenm2YaseMxdIzu5Q System.AppDomain.Load(byte[])
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: UWO8YlOc62H9R5E5Otenm2YaseMxdIzu5Q
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: T5r0xorAlbPnuKWeEgpBPNUM2WqhuJYsJi System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: UWO8YlOc62H9R5E5Otenm2YaseMxdIzu5Q System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.cs.Net Code: UWO8YlOc62H9R5E5Otenm2YaseMxdIzu5Q
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC40D2A5 pushad ; iretd 3_2_00007FFAAC40D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC5F2316 push 8B485F94h; iretd 3_2_00007FFAAC5F231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC40D2A5 pushad ; iretd 6_2_00007FFAAC40D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC52121D push E95C7B05h; ret 6_2_00007FFAAC521239
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC5F2316 push 8B485F94h; iretd 6_2_00007FFAAC5F231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC43D2A5 pushad ; iretd 9_2_00007FFAAC43D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC622316 push 8B485F91h; iretd 9_2_00007FFAAC62231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC42D2A5 pushad ; iretd 11_2_00007FFAAC42D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC54AA97 push esp; retf 11_2_00007FFAAC54AA98
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC541A75 pushad ; iretd 11_2_00007FFAAC541AB9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC612316 push 8B485F92h; iretd 11_2_00007FFAAC61231B
                    Source: gs7lQa4EuM.exe, 76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.csHigh entropy of concatenated method names: 'LgZBRw8P42X5a5AtrtBTiaxYmJ3wiEw79v', '_6GEJCADOfmXuvWIhxx8Xg7p77k7dnwhcDF', 'lODGDSr9o1gcZojwsQuo7OHBdov02FB2Y3rbpHnLSy1JEse5SJcNzQs5FglICRgJ6g', 'IGladNCWvJXTRykankHEndA2ApnnQp0YRpoesKI7CwdKi3oiIkusT1HQgX12ab0QoK'
                    Source: gs7lQa4EuM.exe, Q0xSlSrzKLPFMcgpIFMNRFzrsiFeJgyhR9.csHigh entropy of concatenated method names: 'vr7B87S9wVdPmTt14ysqjZdpPBMJlmkud9', 'RqJfe0CCluORlWTKuveqauIdSKMwy12Cnq', '_1SFo6OJ6LmXa9t0cPOg5IZnBjwc9PXwl2L', '_6yBWDcu3egdODVI6hTbrDB0zGV', 'fNt9m4RNN5iXpx1dEunhjMxvsG', 'xOXDnt1h0auoR0ieh0UwBdAsCa', '_3Hyg1dzLBhkI1oM38xnDBMe491', 'v5pU7f5oJFIPHpIAl7mO2ai8Us', 'qpYdpiHzWXQCEIcNKaBeAwZN8l', 'VktYwj7JQBQcxIVfZaC4SpqCm6'
                    Source: gs7lQa4EuM.exe, PSuOZd7AkyEdpWimPEaFJnrz990n0VpJt0zVpq5NJWUZ701la.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'dEWNbOjaqFv3mBC5ZkdTlKiObWpPGDq6XI', '_7lm8sHd3iDnCqAlJhTFndhBap6KbRWR089', 'jwFydvEk66dJYVz760xzrO8Bl2R69yC4OP', 'guFPynHezDF3AERX7kc16WbLGWHWiCoK6l'
                    Source: gs7lQa4EuM.exe, Dta8jxDirZHeLhmDeLbp8yn6Wkbd75knK0.csHigh entropy of concatenated method names: 'MicVNpnRsfxVBjQEEJ3ZG3mX2gwFVjcH08', '_4NvvqWHkUqqz1f2yuq9Hxt1dNQwHKRO8h3', 'WTa4jMd95lXxUtEaJYtiRhTbUuizZcjWsI', '_3FLgbcckSNR4i1zdlMzbIoihw2xU1Fj1tCbq87VagCnbI9iKEYbhLXk1f396cdwsengzfm1s8gMHZ2wVf6NSS2m2hcM03SohHFC', 'Vk076z1LcPzux2nWjfDTEdReusB1vdUfhHVBcm2hzgSbHzZEetBZ3KCcMPjY3aDR9rIaEpwUxtoijcraasxpKrCZ9sXpOsvRNCJ', 'ZTzoqSTV7lRuhpFQh5w9kE8rZODKqHcZM0EYkPrjFdv4KBqiFsq3u0r8MolyDXVA7CEUgXqlBygrjaj1LkHtondCpeXLHSqk4Rk', 'H2004DbHyd5POphIAgrR6KfQqAXajFGPU1BkuIYuQJjufx42n3FdWMqiLknUpaQWnvo9z1SIkKEQFUoq2HakOXTkanyFwrUz975', 'wIseS4SA1qj727iRTctXHYNqPTBXWvpmZqSRretlONnvS8Mv2UqdXyRJ6li8FJsBZxijlxUHrJpqzl7DWeS1ZNRlyNdT4sZmYUp', 'dWXt3nj9kLH0iKyLJt0hPdeJ1xaFldVS0rby9qPX2rXQqwrVfvAu7QnVbXhjyayXz9enR0PEjWvCA2gzvNJlGejOB6yxkLIW6ke', 'T0RBmmjgsVcY7YElakbotM6RfH5WXjkl7XUDKz19QvNMv2Nbr8n0KmeDzkvffe7h7IOGQGVy0pc2lGUrKJqsLyXwHonJuR2nvea'
                    Source: gs7lQa4EuM.exe, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.csHigh entropy of concatenated method names: 'qLZawPjbb5Scsd5DR8aJifDtTZ2W93hqOk', 'T5r0xorAlbPnuKWeEgpBPNUM2WqhuJYsJi', 'Mn9cg7nFqrRrmokNO0BklIqSHKWk0WxLF0', 'oU3gGHa4xmGUnIW7N8KnTd20a3yatJylVn', 'qEmjNQi2QUsiE4Et7mt4TfYAWN63jraB4m', 'Cu8duXlQOS1RzoDrXeiAee0CZBYZpFYqTY', 'wHZqPpteU1wW68rmhmuYZ7A687qclM5Sq6', 'wZOSw13nzyCO93czimvaKxlDTGM5zBhqAt', 'A4w43Q7JJbCVPoe9U4QOwbtDvF2mah2cIw', 'jvUXRGHz1rSxwzWVhfkDOI8ZyhD1gqUeSu'
                    Source: gs7lQa4EuM.exe, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csHigh entropy of concatenated method names: 'A8306GEFuk5AaTBrmymkLOZr9gV3TgY0hK', '_7YT7BnpsM7c97sqfkbzsrVtEvYLg6puswC', 'MDb8mYyGP75NpbrQ1dskYXMmSKgltRxltR', 'eaQs87kT1b13pGMj1y96P59zlvbrBpy0fs', '_6RfK7C37SeNl0eyYPpKTDmrXP572X93rBP', 'fKSaa4rcJHzqe5vRsNW9tkiWKLpA1cZ43g', 'cCd0WPRl4Qo3nt2CK535xDTPS823dZsLAa', 'ZSFQ56Ofl5n8VTZmwVUcui4meNJGk1f5IE', 'Iv1cyf0GTNA8VkPKgNdCDqIFPQHKrwiJWt', 'KTPhlH1GFVwps38ljldNWk6i6irnM09bxF'
                    Source: gs7lQa4EuM.exe, vy4Y7qijDBz7kr0T4O2YePRQAZoSC4WcBq.csHigh entropy of concatenated method names: 'f3B80Z8AZBs8TO5RimADnOkOfNcO4plizk', 'VvL5HlpvHU5KsyfTHiGpOu5Nrwh5tiVYwR', 'Rt1QoyyBc67MysSAh6y7VCqmmVqW5sxtR2', 'QSO8kOYTbE25hjfw2lDjS4llzRJYIUh1HH', 'c65EDSpkkaHFBEHXLcxvD3mZylBey8wRXre34f0XhXcG4PlcY027GOt66aV6LyiZDbyPWS5lchLC30rJ8rpu', 'sG7cDpB3E8ApIB26HlqN4WCexDUOg3GBZ4M5rVxXR06FJ63Jr4BVqpeq335Ln0rgHXmWXyX9D1pcezXIpCCl', 'ZF2Y2GzxOV00ZmMxRJgzlq3bWr7nBy3Cfv4kfeVyDhrBKcUN3QkrCm5uG6DGItvuhcQNIT5PK1YKzA5XB3jT', 'rTa8bfDmLOsggz0Ku4i51gYo2dIJjne33MBKa9nHysDXQ0h7YQTFxU7uxPyDxeAObI1qsqzEIIKLA6d5LLKU', 'YyJga9L2JvY75KtDu1Mtyaj5V3Qp1AW4uYmEFfuDCfwLAHNnMzIdqKgQaXc6OQTfnTRXGv8PVfvFh5JTcIMb', 'RFjlAmTWkg3xRJSw4XQ2nf4C7P3YP8ZTImIvPd7Z8HlONhBMzysNE7miXOKEnECNx0925anJJWqTldlTrj7z'
                    Source: gs7lQa4EuM.exe, 22NxkfZXSfcYpmiLLV9W1QyCvJkxTznk3ySZWr0UQeyoW6XbG.csHigh entropy of concatenated method names: 'fOogfNP2eY6k2mdHA2GTL32GfcQGR1iTWPBdcPRYQ6eu7j1E8', 'cQUDopltkauFMGDkhHALMgUj3037GXRY8NqajctnJyPukfZ49', 'ML7jH2H32s0dHV2RttVKAbJ8D8mj8lVaX5tJMGdG2VdFnMQ5C', 'IBXEDUlvFHf0inXTqOKWCyyA4sK4qZdUwLWcf1I3qf1icm7xU', 'yEpY3UMYXJMhEdjRoIv6zR06nN5lqWOI41j4lbt5WVo7XOu7R', 'SRdyRy3JUvrj9FyiZwzssCLt1ayquEdFSstVNA1BgIZ0znWQ7', 'FONzpBgYzBL1OjNZctt29w0JodEThZJFWNe4YZQKzs10WKkqv', 'sLmsQ9pJVYryMR7wpbjfgGy7hHNkajejSgryOKxhwbTbWJna3', 'pjU7AbNIw0dE3iHTDkgs6jL9L5K9ZKzYoVdrppSA11KRgz4Ef', 'Nl9o9IIhb5vv5IKw6eoJ9JCK1xkgVhrdtuXVwY3yPKkCwJb7x'
                    Source: gs7lQa4EuM.exe, jJ0CgMM7uFvZAbj3myxJjZC2nCSCh3rAas.csHigh entropy of concatenated method names: '_6q09CMfySLK4V89D2ORdvpjEesvUUNQdWn', 'm2hL01tlQ1GHUqGCT5cYVa2Q2fwUB1I8coiqxTWxpXk8Ot7WfApxsJKYWmg2GLoME43vzPvQneK9WOs3Z2pm', 'YbuCNXcKlGf2mQRM8grCmUTVt8wW48g6iEBAuVzP0WFuWkfIHg7sFcoUfxFwhiOFPI5r8YfOTs0j1WyhcjOq', 'DvEzbajeHom9h12jcoXriZxFOWplyozWIwkCVHvxGgAEXX2UEVJsOSkDtnttE0cWQYfb3c0LaALKDeZxj4QR', 'LpsOcL32g0fN6xckUOMemU6GswuGRPN2HGS4ks8EsmEly76GMyi2ze26tAO3anJRVgnt9EhKq60emAQWhWzC'
                    Source: gs7lQa4EuM.exe, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csHigh entropy of concatenated method names: 'ot9qgS2m8ICcurlRhYbLbxnkNGambZretfSjVY8qgjaDz5a9e', '_6uRgztByvQP9FNJrObwCBDFSE7yCLphrExmigpkHxTU8GPEwu', 'QhJUtANrn0oE78fhouEm6GJREsuW6O1gGyss6ehLsfL2UDXxR', 'yfopTkYIyNFUSU3VtDqrnhOOPAmdSTLbFs3ZrSfboKsfUxXnS', 'eD9f4GtVcnNaU6EAr2bmvpUSEcbj1fMmyqs4Ylu44gKcmuH0l', 'OHRPkVEqTSGhsq7Qu729Y5Z63siZQisgMN3eT0L9gvqZ7Tmlp', 'aeYai11Un50yKhpRdHI4dbYjoUJEOEgB7YVRr66GNF4zCUfQt', '_4Fpe3tajqd33V1XVa9F0h4X8PPWPY3pY9WNl2gPP9LwNiZKMW', 'zKosi0fdxwGrEtLwWIt47b0sMqLc4qMNVaDEY6cq2VTZ1GW5x', 'zsjC4ZX0YpwcRJsTSC2Z0g7R4VuaCZRLIzYc4v6EQK5ONtuvG'
                    Source: gs7lQa4EuM.exe, fd90a9adfHr7Ksb0tsXFMke4MJw3wAPob0.csHigh entropy of concatenated method names: 'o2yRB51xsKaD7K8iCLdIe2gsKQkQNuVDot', 'lGsZLGP3MDbq7pVKbQK5zjHLrGcs2JrCmd', 'GNtqGnvoA4iMK0IEOE9vIghCHpajmBBgH1', '_8qlgo33e9tW1VkA8CUtQIFW66ywRuaN5Rz', 'z9361pcb3RZy2y9maroL9uJzDGeSYo54gK', '_3B0IZlfAepHjoozBkG1KjDiCRoCjbQu6Ea', '_6pDE2AEw4KOFIvZyxA7eFHthzi2iLbNVHZ', 'hjMS9nI38oypn9OxejAmMIhjUH9nzTOIUS', 'qgJu6SPHnfbVSRnKevtfbT896ypW3d74hP', 'aQ0kaNCPAGH5jedLJxRoBI0XlH2xmWOCSE'
                    Source: gs7lQa4EuM.exe, 7OgDZv9MpWbfDx6MJaz4HcLf4cUxVCgapJ.csHigh entropy of concatenated method names: 'CeDjyxVO55gIjzWJgvSTvzEhrZWars6sed', 'EwSUwfP4bCGuVAkpJx54JyFRhWSzoUqqN6GYKEogFxYNG98ejmGZ9qaQF2bspKEOVRQmM3x01dQIt7MioTWN6jIkDyF5OKujF31', 'Evwm0VXaHcxpkdU7v9BBrQMETIFAmrxeY7pHcmLKifPQb1sRvzLEDcDXlEu7rfnDefX449ZOrWuemPcR5VIl28Ukc0CmuEbk3z7', 'xLJ5wp9zagaC56fAYl7Flg1RpNV8hobdYQHXf8kTqZNNuuc3zabunp7qjbVPJ4mDj2Xggc4Tk2o1AU3EG9nj8DFolosMxbMX1mL', 'dP3G15ONOfaVHMmPkkCbvlg6x75UuIr3Zfq1hsIaXr6LGfcaxqQdGJtUFCq9v6i1kWvAPVs95U6djhQyCIP6fjhiTF83aWHYXqA'
                    Source: XClient.exe.0.dr, 76ifJAGGHTpQPEPNAZKlXG261TA4WGjJG0ocCnHhayDKrisYp.csHigh entropy of concatenated method names: 'LgZBRw8P42X5a5AtrtBTiaxYmJ3wiEw79v', '_6GEJCADOfmXuvWIhxx8Xg7p77k7dnwhcDF', 'lODGDSr9o1gcZojwsQuo7OHBdov02FB2Y3rbpHnLSy1JEse5SJcNzQs5FglICRgJ6g', 'IGladNCWvJXTRykankHEndA2ApnnQp0YRpoesKI7CwdKi3oiIkusT1HQgX12ab0QoK'
                    Source: XClient.exe.0.dr, Q0xSlSrzKLPFMcgpIFMNRFzrsiFeJgyhR9.csHigh entropy of concatenated method names: 'vr7B87S9wVdPmTt14ysqjZdpPBMJlmkud9', 'RqJfe0CCluORlWTKuveqauIdSKMwy12Cnq', '_1SFo6OJ6LmXa9t0cPOg5IZnBjwc9PXwl2L', '_6yBWDcu3egdODVI6hTbrDB0zGV', 'fNt9m4RNN5iXpx1dEunhjMxvsG', 'xOXDnt1h0auoR0ieh0UwBdAsCa', '_3Hyg1dzLBhkI1oM38xnDBMe491', 'v5pU7f5oJFIPHpIAl7mO2ai8Us', 'qpYdpiHzWXQCEIcNKaBeAwZN8l', 'VktYwj7JQBQcxIVfZaC4SpqCm6'
                    Source: XClient.exe.0.dr, PSuOZd7AkyEdpWimPEaFJnrz990n0VpJt0zVpq5NJWUZ701la.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'dEWNbOjaqFv3mBC5ZkdTlKiObWpPGDq6XI', '_7lm8sHd3iDnCqAlJhTFndhBap6KbRWR089', 'jwFydvEk66dJYVz760xzrO8Bl2R69yC4OP', 'guFPynHezDF3AERX7kc16WbLGWHWiCoK6l'
                    Source: XClient.exe.0.dr, Dta8jxDirZHeLhmDeLbp8yn6Wkbd75knK0.csHigh entropy of concatenated method names: 'MicVNpnRsfxVBjQEEJ3ZG3mX2gwFVjcH08', '_4NvvqWHkUqqz1f2yuq9Hxt1dNQwHKRO8h3', 'WTa4jMd95lXxUtEaJYtiRhTbUuizZcjWsI', '_3FLgbcckSNR4i1zdlMzbIoihw2xU1Fj1tCbq87VagCnbI9iKEYbhLXk1f396cdwsengzfm1s8gMHZ2wVf6NSS2m2hcM03SohHFC', 'Vk076z1LcPzux2nWjfDTEdReusB1vdUfhHVBcm2hzgSbHzZEetBZ3KCcMPjY3aDR9rIaEpwUxtoijcraasxpKrCZ9sXpOsvRNCJ', 'ZTzoqSTV7lRuhpFQh5w9kE8rZODKqHcZM0EYkPrjFdv4KBqiFsq3u0r8MolyDXVA7CEUgXqlBygrjaj1LkHtondCpeXLHSqk4Rk', 'H2004DbHyd5POphIAgrR6KfQqAXajFGPU1BkuIYuQJjufx42n3FdWMqiLknUpaQWnvo9z1SIkKEQFUoq2HakOXTkanyFwrUz975', 'wIseS4SA1qj727iRTctXHYNqPTBXWvpmZqSRretlONnvS8Mv2UqdXyRJ6li8FJsBZxijlxUHrJpqzl7DWeS1ZNRlyNdT4sZmYUp', 'dWXt3nj9kLH0iKyLJt0hPdeJ1xaFldVS0rby9qPX2rXQqwrVfvAu7QnVbXhjyayXz9enR0PEjWvCA2gzvNJlGejOB6yxkLIW6ke', 'T0RBmmjgsVcY7YElakbotM6RfH5WXjkl7XUDKz19QvNMv2Nbr8n0KmeDzkvffe7h7IOGQGVy0pc2lGUrKJqsLyXwHonJuR2nvea'
                    Source: XClient.exe.0.dr, pLjLSZ2ZupXUjBLEOGDjVtpwEC5dX4LALA.csHigh entropy of concatenated method names: 'qLZawPjbb5Scsd5DR8aJifDtTZ2W93hqOk', 'T5r0xorAlbPnuKWeEgpBPNUM2WqhuJYsJi', 'Mn9cg7nFqrRrmokNO0BklIqSHKWk0WxLF0', 'oU3gGHa4xmGUnIW7N8KnTd20a3yatJylVn', 'qEmjNQi2QUsiE4Et7mt4TfYAWN63jraB4m', 'Cu8duXlQOS1RzoDrXeiAee0CZBYZpFYqTY', 'wHZqPpteU1wW68rmhmuYZ7A687qclM5Sq6', 'wZOSw13nzyCO93czimvaKxlDTGM5zBhqAt', 'A4w43Q7JJbCVPoe9U4QOwbtDvF2mah2cIw', 'jvUXRGHz1rSxwzWVhfkDOI8ZyhD1gqUeSu'
                    Source: XClient.exe.0.dr, BeWmmgLyPA76MVOb3AYOrJrBxBHp785osW.csHigh entropy of concatenated method names: 'A8306GEFuk5AaTBrmymkLOZr9gV3TgY0hK', '_7YT7BnpsM7c97sqfkbzsrVtEvYLg6puswC', 'MDb8mYyGP75NpbrQ1dskYXMmSKgltRxltR', 'eaQs87kT1b13pGMj1y96P59zlvbrBpy0fs', '_6RfK7C37SeNl0eyYPpKTDmrXP572X93rBP', 'fKSaa4rcJHzqe5vRsNW9tkiWKLpA1cZ43g', 'cCd0WPRl4Qo3nt2CK535xDTPS823dZsLAa', 'ZSFQ56Ofl5n8VTZmwVUcui4meNJGk1f5IE', 'Iv1cyf0GTNA8VkPKgNdCDqIFPQHKrwiJWt', 'KTPhlH1GFVwps38ljldNWk6i6irnM09bxF'
                    Source: XClient.exe.0.dr, vy4Y7qijDBz7kr0T4O2YePRQAZoSC4WcBq.csHigh entropy of concatenated method names: 'f3B80Z8AZBs8TO5RimADnOkOfNcO4plizk', 'VvL5HlpvHU5KsyfTHiGpOu5Nrwh5tiVYwR', 'Rt1QoyyBc67MysSAh6y7VCqmmVqW5sxtR2', 'QSO8kOYTbE25hjfw2lDjS4llzRJYIUh1HH', 'c65EDSpkkaHFBEHXLcxvD3mZylBey8wRXre34f0XhXcG4PlcY027GOt66aV6LyiZDbyPWS5lchLC30rJ8rpu', 'sG7cDpB3E8ApIB26HlqN4WCexDUOg3GBZ4M5rVxXR06FJ63Jr4BVqpeq335Ln0rgHXmWXyX9D1pcezXIpCCl', 'ZF2Y2GzxOV00ZmMxRJgzlq3bWr7nBy3Cfv4kfeVyDhrBKcUN3QkrCm5uG6DGItvuhcQNIT5PK1YKzA5XB3jT', 'rTa8bfDmLOsggz0Ku4i51gYo2dIJjne33MBKa9nHysDXQ0h7YQTFxU7uxPyDxeAObI1qsqzEIIKLA6d5LLKU', 'YyJga9L2JvY75KtDu1Mtyaj5V3Qp1AW4uYmEFfuDCfwLAHNnMzIdqKgQaXc6OQTfnTRXGv8PVfvFh5JTcIMb', 'RFjlAmTWkg3xRJSw4XQ2nf4C7P3YP8ZTImIvPd7Z8HlONhBMzysNE7miXOKEnECNx0925anJJWqTldlTrj7z'
                    Source: XClient.exe.0.dr, 22NxkfZXSfcYpmiLLV9W1QyCvJkxTznk3ySZWr0UQeyoW6XbG.csHigh entropy of concatenated method names: 'fOogfNP2eY6k2mdHA2GTL32GfcQGR1iTWPBdcPRYQ6eu7j1E8', 'cQUDopltkauFMGDkhHALMgUj3037GXRY8NqajctnJyPukfZ49', 'ML7jH2H32s0dHV2RttVKAbJ8D8mj8lVaX5tJMGdG2VdFnMQ5C', 'IBXEDUlvFHf0inXTqOKWCyyA4sK4qZdUwLWcf1I3qf1icm7xU', 'yEpY3UMYXJMhEdjRoIv6zR06nN5lqWOI41j4lbt5WVo7XOu7R', 'SRdyRy3JUvrj9FyiZwzssCLt1ayquEdFSstVNA1BgIZ0znWQ7', 'FONzpBgYzBL1OjNZctt29w0JodEThZJFWNe4YZQKzs10WKkqv', 'sLmsQ9pJVYryMR7wpbjfgGy7hHNkajejSgryOKxhwbTbWJna3', 'pjU7AbNIw0dE3iHTDkgs6jL9L5K9ZKzYoVdrppSA11KRgz4Ef', 'Nl9o9IIhb5vv5IKw6eoJ9JCK1xkgVhrdtuXVwY3yPKkCwJb7x'
                    Source: XClient.exe.0.dr, jJ0CgMM7uFvZAbj3myxJjZC2nCSCh3rAas.csHigh entropy of concatenated method names: '_6q09CMfySLK4V89D2ORdvpjEesvUUNQdWn', 'm2hL01tlQ1GHUqGCT5cYVa2Q2fwUB1I8coiqxTWxpXk8Ot7WfApxsJKYWmg2GLoME43vzPvQneK9WOs3Z2pm', 'YbuCNXcKlGf2mQRM8grCmUTVt8wW48g6iEBAuVzP0WFuWkfIHg7sFcoUfxFwhiOFPI5r8YfOTs0j1WyhcjOq', 'DvEzbajeHom9h12jcoXriZxFOWplyozWIwkCVHvxGgAEXX2UEVJsOSkDtnttE0cWQYfb3c0LaALKDeZxj4QR', 'LpsOcL32g0fN6xckUOMemU6GswuGRPN2HGS4ks8EsmEly76GMyi2ze26tAO3anJRVgnt9EhKq60emAQWhWzC'
                    Source: XClient.exe.0.dr, 8Lq73mxKPrHYM5yjHSJDYgIOQpogUYhe2nAdpS5uJ5UGbPnYK.csHigh entropy of concatenated method names: 'ot9qgS2m8ICcurlRhYbLbxnkNGambZretfSjVY8qgjaDz5a9e', '_6uRgztByvQP9FNJrObwCBDFSE7yCLphrExmigpkHxTU8GPEwu', 'QhJUtANrn0oE78fhouEm6GJREsuW6O1gGyss6ehLsfL2UDXxR', 'yfopTkYIyNFUSU3VtDqrnhOOPAmdSTLbFs3ZrSfboKsfUxXnS', 'eD9f4GtVcnNaU6EAr2bmvpUSEcbj1fMmyqs4Ylu44gKcmuH0l', 'OHRPkVEqTSGhsq7Qu729Y5Z63siZQisgMN3eT0L9gvqZ7Tmlp', 'aeYai11Un50yKhpRdHI4dbYjoUJEOEgB7YVRr66GNF4zCUfQt', '_4Fpe3tajqd33V1XVa9F0h4X8PPWPY3pY9WNl2gPP9LwNiZKMW', 'zKosi0fdxwGrEtLwWIt47b0sMqLc4qMNVaDEY6cq2VTZ1GW5x', 'zsjC4ZX0YpwcRJsTSC2Z0g7R4VuaCZRLIzYc4v6EQK5ONtuvG'
                    Source: XClient.exe.0.dr, fd90a9adfHr7Ksb0tsXFMke4MJw3wAPob0.csHigh entropy of concatenated method names: 'o2yRB51xsKaD7K8iCLdIe2gsKQkQNuVDot', 'lGsZLGP3MDbq7pVKbQK5zjHLrGcs2JrCmd', 'GNtqGnvoA4iMK0IEOE9vIghCHpajmBBgH1', '_8qlgo33e9tW1VkA8CUtQIFW66ywRuaN5Rz', 'z9361pcb3RZy2y9maroL9uJzDGeSYo54gK', '_3B0IZlfAepHjoozBkG1KjDiCRoCjbQu6Ea', '_6pDE2AEw4KOFIvZyxA7eFHthzi2iLbNVHZ', 'hjMS9nI38oypn9OxejAmMIhjUH9nzTOIUS', 'qgJu6SPHnfbVSRnKevtfbT896ypW3d74hP', 'aQ0kaNCPAGH5jedLJxRoBI0XlH2xmWOCSE'
                    Source: XClient.exe.0.dr, 7OgDZv9MpWbfDx6MJaz4HcLf4cUxVCgapJ.csHigh entropy of concatenated method names: 'CeDjyxVO55gIjzWJgvSTvzEhrZWars6sed', 'EwSUwfP4bCGuVAkpJx54JyFRhWSzoUqqN6GYKEogFxYNG98ejmGZ9qaQF2bspKEOVRQmM3x01dQIt7MioTWN6jIkDyF5OKujF31', 'Evwm0VXaHcxpkdU7v9BBrQMETIFAmrxeY7pHcmLKifPQb1sRvzLEDcDXlEu7rfnDefX449ZOrWuemPcR5VIl28Ukc0CmuEbk3z7', 'xLJ5wp9zagaC56fAYl7Flg1RpNV8hobdYQHXf8kTqZNNuuc3zabunp7qjbVPJ4mDj2Xggc4Tk2o1AU3EG9nj8DFolosMxbMX1mL', 'dP3G15ONOfaVHMmPkkCbvlg6x75UuIr3Zfq1hsIaXr6LGfcaxqQdGJtUFCq9v6i1kWvAPVs95U6djhQyCIP6fjhiTF83aWHYXqA'
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: gs7lQa4EuM.exe, XClient.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeMemory allocated: 620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeMemory allocated: 1A390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 26B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1A840000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1100000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1AE60000 memory reserve | memory write watch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3321Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6450Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7739Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1824Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7928Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1681Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7767
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1818
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exe TID: 8064Thread sleep time: -59000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6424Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep count: 7739 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep count: 1824 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 7928 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 1681 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 7767 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 1818 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 4308Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3256Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                    Source: XClient.exe.0.drBinary or memory string: vmware
                    Source: gs7lQa4EuM.exe, 00000000.00000002.2542955202.000000001B1A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeCode function: 0_2_00007FFAAC557661 CheckRemoteDebuggerPresent,0_2_00007FFAAC557661
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gs7lQa4EuM.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeQueries volume information: C:\Users\user\Desktop\gs7lQa4EuM.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
                    Source: C:\Users\user\Desktop\gs7lQa4EuM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: gs7lQa4EuM.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.gs7lQa4EuM.exe.c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gs7lQa4EuM.exe PID: 6960, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: gs7lQa4EuM.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.gs7lQa4EuM.exe.c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: gs7lQa4EuM.exe PID: 6960, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		21
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping421
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		51
                    Virtualization/Sandbox Evasion                    		Security Account Manager51
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579066 Sample: gs7lQa4EuM.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 36 ip-api.com 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 12 other signatures 2->48 8 gs7lQa4EuM.exe 15 6 2->8         started        13 XClient.exe 2->13         started        15 XClient.exe 2->15         started        signatures3 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 8->38 34 C:\Users\user\AppData\Roaming\XClient.exe, PE32 8->34 dropped 50 Protects its processes via BreakOnTermination flag 8->50 52 Bypasses PowerShell execution policy 8->52 54 Adds a directory exclusion to Windows Defender 8->54 56 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->56 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        58 Antivirus detection for dropped file 13->58 60 Multi AV Scanner detection for dropped file 13->60 62 Machine Learning detection for dropped file 13->62 file6 signatures7 process8 signatures9 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    gs7lQa4EuM.exe79%ReversingLabsWin32.Exploit.Xworm
                    gs7lQa4EuM.exe100%AviraTR/Spy.Gen
                    gs7lQa4EuM.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe79%ReversingLabsWin32.Exploit.Xworm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                        		high
                        environment-robots.gl.at.ply.gg:37139true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1391404235.000001C467651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1493071911.00000287A7A50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1649361262.000002183928F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.mpowershell.exe, 00000009.00000002.1669277776.000002184185B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.mMppowershell.exe, 00000003.00000002.1398854965.000001C46FC9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.microsopowershell.exe, 00000003.00000002.1398038770.000001C46FC14000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1372795036.000001C457808000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.0000028797C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1372795036.000001C457808000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.0000028797C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1391404235.000001C467651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1493071911.00000287A7A50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1649361262.000002183928F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 00000006.00000002.1513280504.00000287B00BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ip-api.comgs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002452000.00000004.00000800.00020000.00000000.sdmp, gs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002440000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 0000000B.00000002.1836908022.000002381006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.microsoft.coyppowershell.exe, 00000003.00000002.1398038770.000001C46FC14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://aka.ms/pscore68powershell.exe, 00000003.00000002.1372795036.000001C4575E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.00000287979E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.0000023800001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegs7lQa4EuM.exe, 00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1372795036.000001C4575E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1434869063.00000287979E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1549985334.0000021829221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1701499349.0000023800001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.vpowershell.exe, 00000003.00000002.1396579927.000001C46F920000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1701499349.000002380022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.m.com/pkiDocsory.pcpowershell.exe, 0000000B.00000002.1877733648.000002387BB9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  208.95.112.1
                                                                  		ip-api.comUnited States
                                                                  		53334TUT-ASUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1579066
                                                                  Start date and time:2024-12-20 19:00:09 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 31s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:18
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:gs7lQa4EuM.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:55e67256addca7beac549792d5cad73bd1913f283bb59c5331e399234cd82409.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@15/21@1/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 14.3%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 82
                                                                  • Number of non-executed functions: 8
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target XClient.exe, PID 2196 because it is empty
                                                                  • Execution Graph export aborted for target XClient.exe, PID 3260 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 3540 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7232 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7548 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7756 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • VT rate limit hit for: gs7lQa4EuM.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  13:01:15API Interceptor53x Sleep call for process: powershell.exe modified
                                                                  14:34:31API Interceptor284x Sleep call for process: gs7lQa4EuM.exe modified
                                                                  20:34:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                  20:34:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                  20:34:50AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  208.95.112.1doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • ip-api.com/json
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • ip-api.com/json
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • ip-api.com/json
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • ip-api.com/json
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • ip-api.com/json/
                                                                  Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                  • ip-api.com/json/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ip-api.comdoc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 208.95.112.1
                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • 208.95.112.1
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                  • 208.95.112.2

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  TUT-ASUSdoc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 208.95.112.1
                                                                  file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                  • 208.95.112.1
                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                  • 208.95.112.1
                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                  • 208.95.112.1
                                                                  random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                  • 208.95.112.1
                                                                  x.ps1Get hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                  File Type:CSV text
                                                                  Category:dropped
                                                                  Size (bytes):654
                                                                  Entropy (8bit):5.380476433908377
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):0.34726597513537405
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlll:Nll
                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                  Malicious:false
                                                                  Preview:@...e...........................................................

                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\gs7lQa4EuM.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):41
                                                                  Entropy (8bit):3.7195394315431693
                                                                  Encrypted:false
                                                                  SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                  MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                  SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                  SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                  SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                  Malicious:false
                                                                  Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0g35eyjh.0aa.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1udqji13.ecg.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bz1dqgsw.bg1.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvggmg4g.sbd.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhlmj21t.uks.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epjknlpl.jfz.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gctpjk1v.re2.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii4ni05m.f34.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jc35h3vt.ixi.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwvtswzr.qvd.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nihlnna1.404.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2kt13ji.guf.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxpxixw5.gy5.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thjbl3xx.043.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um45yend.54l.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umz11dmg.4ck.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\gs7lQa4EuM.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 18:34:31 2024, mtime=Fri Dec 20 18:34:31 2024, atime=Fri Dec 20 18:34:31 2024, length=92672, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):768
                                                                  Entropy (8bit):5.10791978858159
                                                                  Encrypted:false
                                                                  SSDEEP:12:8iawwd24gTN+2Chmhi1Y//XbtxSLo/amTjAUNHkazWCzBmV:8imL2T9pWvm3Af0WCtm
                                                                  MD5:97981FED25D1002A91D50F7BEB56630F
                                                                  SHA1:3A5A877FAB8493986C49B15844FB25E5307C9F73
                                                                  SHA-256:A1D3C3971A222C00B1EDB743760CB64AD2BCE68761F2970DDD809B47378E7BCA
                                                                  SHA-512:E89FD5793BC1045F722B0DBFE5FB7F0BCFDE34CE730A3D153130B7E0D27FB07BEBAB5DFFEEC52054726EB8A5833A15FC65E0721F198B1A44CC504BBC3319A9BC
                                                                  Malicious:false
                                                                  Preview:L..................F.... ....g.0.S...g.0.S...g.0.S...j......................v.:..DG..Yr?.D..U..k0.&...&......Qg.*_....8. .S...R.1.S......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y;...........................3*N.A.p.p.D.a.t.a...B.V.1......Y!...Roaming.@......EW.=.Y!............................A..R.o.a.m.i.n.g.....b.2..j...YP. .XClient.exe.H......YP..YP............................].X.C.l.i.e.n.t...e.x.e.......]...............-.......\..............@.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......216554...........hT..CrF.f4... .8..W.....,......hT..CrF.f4... .8..W.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                  C:\Users\user\AppData\Roaming\XClient.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\gs7lQa4EuM.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):92672
                                                                  Entropy (8bit):5.944713304210017
                                                                  Encrypted:false
                                                                  SSDEEP:1536:x5luo6w5eTSqi2REETjJ0hUpR1bb9lZd6SeV74OZ+TGKrDL:vn6Y2LjKar1bbid4OsXX
                                                                  MD5:74D715684A39963B0D423A3A1C9F20D5
                                                                  SHA1:68058B84381CEF6CE5987014E15CF76574445390
                                                                  SHA-256:55E67256ADDCA7BEAC549792D5CAD73BD1913F283BB59C5331E399234CD82409
                                                                  SHA-512:4BE9BF0D49CF485347B4C97C4B792A0A4C437918F9701D1D58AA7334A1735C1D15C3D311681E08A4A66D818C85F429EE363A8FB8F6C77D2A62658EF254E096B3
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dg.................`............... ........@.. ....................................@.................................H...S.................................................................................... ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B........................H........m..........&.....................................................(....*.r...p*. <...*..(....*.rG..p*. ./..*.s.........s.........s.........s.........*.r...p*. ..e.*.r...p*. h.:.*.r...p*. ..].*.r_..p*. .l..*.r...p*. ....*..((...*.r...p*. ....*.rP..p*. .x!.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Y...*"(....+.*&(&...&+.*.+5sj... .... .'..ok...(,...~....-.(_...(Q...~....ol...&.-.*.r...p*. .#..*.r_..p*. W.R.*.r...p*. ..*.rm..p*. *p{.*.r...p*.r{..p*. .(T.*.r...p*. 9.

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.944713304210017
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:gs7lQa4EuM.exe
                                                                  File size:92'672 bytes
                                                                  MD5:74d715684a39963b0d423a3a1c9f20d5
                                                                  SHA1:68058b84381cef6ce5987014e15cf76574445390
                                                                  SHA256:55e67256addca7beac549792d5cad73bd1913f283bb59c5331e399234cd82409
                                                                  SHA512:4be9bf0d49cf485347b4c97c4b792a0a4c437918f9701d1d58aa7334a1735c1d15c3d311681e08a4a66d818c85f429ee363a8fb8f6c77d2a62658ef254e096b3
                                                                  SSDEEP:1536:x5luo6w5eTSqi2REETjJ0hUpR1bb9lZd6SeV74OZ+TGKrDL:vn6Y2LjKar1bbid4OsXX
                                                                  TLSH:6A937D287BE64119F2FFAFB55DE57253CA36F6232903D95F20D1024E0623A84CD916FA
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................`............... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00928e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x417f9e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x676487C6 [Thu Dec 19 20:53:26 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add al, byte ptr [eax]
                                                                  adc byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  and byte ptr [eax], al
                                                                  add byte ptr [eax+00000018h], al
                                                                  push eax
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], 00000000h
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add dword ptr [eax], eax
                                                                  add dword ptr [eax], eax
                                                                  add byte ptr [eax], al
                                                                  cmp byte ptr [eax], al
                                                                  add byte ptr [eax+00000000h], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add dword ptr [eax], eax
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], 00000000h
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [ecx], al
                                                                  add byte ptr [ecx], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax+00h], ch

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x17f480x53.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4ce.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x15fa40x160001b0450798395ab816c2a583b37becf51False0.5990988991477273data6.001407577239758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x180000x4ce0x600ea405f2b632f147544083371f440226aFalse0.37109375data3.7170775483210745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1a0000xc0x2000ca5dd4b0e6809ee05c013b75964714bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x180a00x244data0.46551724137931033
                                                                  RT_MANIFEST0x182e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 19:01:13.467459917 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:01:13.588227987 CET8049700208.95.112.1192.168.2.7
                                                                  Dec 20, 2024 19:01:13.588336945 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:01:13.589303970 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:01:13.709022045 CET8049700208.95.112.1192.168.2.7
                                                                  Dec 20, 2024 19:01:14.685364962 CET8049700208.95.112.1192.168.2.7
                                                                  Dec 20, 2024 19:01:14.725159883 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:02:23.161750078 CET8049700208.95.112.1192.168.2.7
                                                                  Dec 20, 2024 19:02:23.161855936 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:02:54.699481010 CET4970080192.168.2.7208.95.112.1
                                                                  Dec 20, 2024 19:02:54.819407940 CET8049700208.95.112.1192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 19:01:13.299079895 CET6003653192.168.2.71.1.1.1
                                                                  Dec 20, 2024 19:01:13.437165976 CET53600361.1.1.1192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 19:01:13.299079895 CET192.168.2.71.1.1.10x42fbStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 19:01:13.437165976 CET1.1.1.1192.168.2.70x42fbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • ip-api.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.749700208.95.112.1806960C:\Users\user\Desktop\gs7lQa4EuM.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 19:01:13.589303970 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                  Host: ip-api.com
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 19:01:14.685364962 CET175INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 18:01:14 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Content-Length: 6
                                                                  Access-Control-Allow-Origin: *
                                                                  X-Ttl: 60
                                                                  X-Rl: 44
                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                  Data Ascii: false


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:13:01:08
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\Desktop\gs7lQa4EuM.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\gs7lQa4EuM.exe"
                                                                  Imagebase:0xc0000
                                                                  File size:92'672 bytes
                                                                  MD5 hash:74D715684A39963B0D423A3A1C9F20D5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1284907896.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2536397459.0000000002391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:3
                                                                  Start time:13:01:14
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gs7lQa4EuM.exe'
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:13:01:14
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff75da10000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:13:01:20
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gs7lQa4EuM.exe'
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:13:01:20
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff75da10000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:14:33:52
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:14:33:52
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff75da10000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:14:34:08
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:14:34:08
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff75da10000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:14:34:42
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                  Imagebase:0x6a0000
                                                                  File size:92'672 bytes
                                                                  MD5 hash:74D715684A39963B0D423A3A1C9F20D5
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 79%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:14:34:50
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                  Imagebase:0xbc0000
                                                                  File size:92'672 bytes
                                                                  MD5 hash:74D715684A39963B0D423A3A1C9F20D5
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:18.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:6.2%
                                                                    Total number of Nodes:48
                                                                    Total number of Limit Nodes:2
                                                                    execution_graph 4498 7ffaac5590a1 4499 7ffaac5590ab 4498->4499 4502 7ffaac558950 4499->4502 4505 7ffaac558948 4502->4505 4511 7ffaac55c692 4505->4511 4512 7ffaac55af28 4505->4512 4508 7ffaac55af28 RtlSetProcessIsCritical 4509 7ffaac55c67c 4508->4509 4510 7ffaac55af28 RtlSetProcessIsCritical 4509->4510 4509->4511 4510->4511 4516 7ffaac55af38 4511->4516 4513 7ffaac55af31 RtlSetProcessIsCritical 4512->4513 4515 7ffaac55b032 4513->4515 4515->4508 4517 7ffaac55af41 RtlSetProcessIsCritical 4516->4517 4519 7ffaac5590e8 4517->4519 4520 7ffaac557661 4521 7ffaac55767f CheckRemoteDebuggerPresent 4520->4521 4523 7ffaac55771f 4521->4523 4550 7ffaac558940 4553 7ffaac558945 4550->4553 4551 7ffaac55af38 RtlSetProcessIsCritical 4552 7ffaac55cab7 4551->4552 4554 7ffaac55af28 RtlSetProcessIsCritical 4553->4554 4559 7ffaac55c692 4553->4559 4555 7ffaac55c662 4554->4555 4556 7ffaac55af28 RtlSetProcessIsCritical 4555->4556 4557 7ffaac55c67c 4556->4557 4558 7ffaac55af28 RtlSetProcessIsCritical 4557->4558 4557->4559 4558->4559 4559->4551 4532 7ffaac55be18 4533 7ffaac55be21 SetWindowsHookExW 4532->4533 4535 7ffaac55bef1 4533->4535 4570 7ffaac55ae48 4571 7ffaac55ae3e 4570->4571 4571->4570 4572 7ffaac55afd2 RtlSetProcessIsCritical 4571->4572 4573 7ffaac55b032 4572->4573 4524 7ffaac55c045 4525 7ffaac55c020 4524->4525 4525->4524 4528 7ffaac55af08 4525->4528 4529 7ffaac55af11 RtlSetProcessIsCritical 4528->4529 4531 7ffaac55b032 4529->4531 4536 7ffaac55d095 4537 7ffaac55d09a 4536->4537 4542 7ffaac55af58 4537->4542 4541 7ffaac55d0a9 4543 7ffaac55af61 RtlSetProcessIsCritical 4542->4543 4545 7ffaac55b032 4543->4545 4545->4541 4546 7ffaac55af68 4545->4546 4547 7ffaac55af6f RtlSetProcessIsCritical 4546->4547 4549 7ffaac55b032 4547->4549 4549->4541

                                                                    Executed Functions

                                                                    Function 00007FFAAC55A3BB Relevance: 5.6, Strings: 4, Instructions: 579COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ffaac55a3bb-7ffaac55a40a 5 7ffaac55a45a-7ffaac55a489 0->5 6 7ffaac55a40c-7ffaac55a453 0->6 8 7ffaac55a48b-7ffaac55a4a2 5->8 9 7ffaac55a502 5->9 6->5 10 7ffaac559e77-7ffaac559e84 8->10 11 7ffaac55a4a8-7ffaac55a4ae 8->11 14 7ffaac55a507-7ffaac55a542 9->14 12 7ffaac559e8a-7ffaac559f80 10->12 13 7ffaac559788 10->13 11->9 15 7ffaac55a4b0-7ffaac55a4c7 11->15 70 7ffaac55a5fc-7ffaac55a637 12->70 71 7ffaac559f86-7ffaac559fe9 12->71 21 7ffaac55978d-7ffaac5597c1 13->21 16 7ffaac55941a-7ffaac559427 15->16 17 7ffaac55a4cd-7ffaac55a4d4 15->17 16->13 18 7ffaac55942d-7ffaac55946b 16->18 23 7ffaac55a4de-7ffaac55a4e5 17->23 18->11 29 7ffaac559471-7ffaac55948e call 7ffaac557f48 18->29 25 7ffaac5597c8-7ffaac55980a 21->25 26 7ffaac55a4e7-7ffaac55a4f1 call 7ffaac550378 23->26 27 7ffaac55a4f6 23->27 42 7ffaac55982f-7ffaac559863 25->42 43 7ffaac55980c-7ffaac55982d 25->43 26->27 27->9 29->11 36 7ffaac559494-7ffaac5594ce 29->36 45 7ffaac5594d0-7ffaac559523 36->45 46 7ffaac55952d-7ffaac559555 36->46 49 7ffaac55986a-7ffaac5598ac 42->49 43->49 45->46 55 7ffaac55955b-7ffaac559568 46->55 56 7ffaac559e49-7ffaac559e71 46->56 72 7ffaac5598ae-7ffaac5598cf 49->72 73 7ffaac5598d1-7ffaac559905 49->73 55->13 58 7ffaac55956e-7ffaac559660 55->58 56->10 56->11 136 7ffaac559e20-7ffaac559e26 58->136 137 7ffaac559666-7ffaac559763 call 7ffaac550358 58->137 82 7ffaac55a63c-7ffaac55a677 70->82 71->82 94 7ffaac559fef-7ffaac55a052 71->94 76 7ffaac55990c-7ffaac559a23 call 7ffaac550358 72->76 73->76 153 7ffaac559a48-7ffaac559a7c 76->153 154 7ffaac559a25-7ffaac559a46 76->154 90 7ffaac55a67c-7ffaac55a6b7 82->90 99 7ffaac55a6bc-7ffaac55a6f7 90->99 94->90 117 7ffaac55a058-7ffaac55a1b6 call 7ffaac557ec8 94->117 108 7ffaac55a6fc-7ffaac55a737 99->108 118 7ffaac55a73c-7ffaac55a78c 108->118 117->99 191 7ffaac55a1bc-7ffaac55a32a 117->191 142 7ffaac55a78e-7ffaac55a7af 118->142 143 7ffaac55a7b4-7ffaac55a7e8 118->143 136->9 139 7ffaac559e2c-7ffaac559e43 136->139 137->21 188 7ffaac559765-7ffaac559786 137->188 139->55 139->56 142->143 149 7ffaac55a7ef 143->149 149->149 159 7ffaac559a83-7ffaac559b1a 153->159 154->159 159->13 189 7ffaac559b20-7ffaac559cd0 call 7ffaac550358 159->189 188->25 189->9 237 7ffaac559cd6-7ffaac559cd8 189->237 191->9 229 7ffaac55a330-7ffaac55a332 191->229 229->118 230 7ffaac55a338-7ffaac55a376 229->230 230->108 242 7ffaac55a37c-7ffaac55a3b9 230->242 238 7ffaac559cde-7ffaac559d1c 237->238 239 7ffaac55a547-7ffaac55a594 237->239 238->14 252 7ffaac559d22-7ffaac559dad 238->252 254 7ffaac55a5bc-7ffaac55a5f7 239->254 255 7ffaac55a596-7ffaac55a5b7 239->255 264 7ffaac559daf-7ffaac559df6 252->264 265 7ffaac559dfd-7ffaac559e1a 252->265 254->70 255->254 264->265 265->136
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >$B$L$CAL_^
                                                                    • API String ID: 0-2913334281
                                                                    • Opcode ID: f7e933b63c9b9ca1f9059bb6b4f41cef67bceab5e91698e2af671f30701872f7
                                                                    • Instruction ID: e507712379d885ae022866299f5e71b747034d0de3855f43cd680d49e2627a14
                                                                    • Opcode Fuzzy Hash: f7e933b63c9b9ca1f9059bb6b4f41cef67bceab5e91698e2af671f30701872f7
                                                                    • Instruction Fuzzy Hash: 281262B0A18A098FEB88EB2CC4957B9B7E6FF9D304F14457DE04DD3291DE39A8458B41
                                                                    Function 00007FFAAC559329 Relevance: 4.2, Strings: 2, Instructions: 1735COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 267 7ffaac559329-7ffaac5593bd call 7ffaac558f40 call 7ffaac550388 call 7ffaac557cc8 278 7ffaac5593bf-7ffaac5593ec call 7ffaac550398 267->278 279 7ffaac5593f1-7ffaac559414 267->279 278->279 283 7ffaac55941a-7ffaac559427 279->283 284 7ffaac55a4cd-7ffaac55a4d4 279->284 285 7ffaac55942d-7ffaac55946b 283->285 286 7ffaac559788 283->286 287 7ffaac55a4de-7ffaac55a4e5 284->287 293 7ffaac559471-7ffaac55948e call 7ffaac557f48 285->293 294 7ffaac55a4a8-7ffaac55a4ae 285->294 289 7ffaac55978d-7ffaac5597c1 286->289 290 7ffaac55a4e7-7ffaac55a4f1 call 7ffaac550378 287->290 291 7ffaac55a4f6 287->291 297 7ffaac5597c8-7ffaac55980a 289->297 290->291 295 7ffaac55a502 291->295 293->294 302 7ffaac559494-7ffaac5594ce 293->302 294->295 298 7ffaac55a4b0-7ffaac55a4c7 294->298 301 7ffaac55a507-7ffaac55a542 295->301 311 7ffaac55982f-7ffaac559863 297->311 312 7ffaac55980c-7ffaac55982d 297->312 298->283 298->284 309 7ffaac5594d0-7ffaac559523 302->309 310 7ffaac55952d-7ffaac559555 302->310 309->310 317 7ffaac55955b-7ffaac559568 310->317 318 7ffaac559e49-7ffaac559e71 310->318 316 7ffaac55986a-7ffaac5598ac 311->316 312->316 335 7ffaac5598ae-7ffaac5598cf 316->335 336 7ffaac5598d1-7ffaac559905 316->336 317->286 320 7ffaac55956e-7ffaac559660 317->320 318->294 323 7ffaac559e77-7ffaac559e84 318->323 386 7ffaac559e20-7ffaac559e26 320->386 387 7ffaac559666-7ffaac559763 call 7ffaac550358 320->387 323->286 327 7ffaac559e8a-7ffaac559f80 323->327 368 7ffaac55a5fc-7ffaac55a637 327->368 369 7ffaac559f86-7ffaac559fe9 327->369 340 7ffaac55990c-7ffaac559a23 call 7ffaac550358 335->340 336->340 407 7ffaac559a48-7ffaac559a7c 340->407 408 7ffaac559a25-7ffaac559a46 340->408 377 7ffaac55a63c-7ffaac55a677 368->377 369->377 391 7ffaac559fef-7ffaac55a052 369->391 385 7ffaac55a67c-7ffaac55a6b7 377->385 397 7ffaac55a6bc-7ffaac55a6f7 385->397 386->295 389 7ffaac559e2c-7ffaac559e43 386->389 387->289 450 7ffaac559765-7ffaac559786 387->450 389->317 389->318 391->385 418 7ffaac55a058-7ffaac55a1b6 call 7ffaac557ec8 391->418 409 7ffaac55a6fc-7ffaac55a737 397->409 413 7ffaac559a83-7ffaac559b1a 407->413 408->413 419 7ffaac55a73c-7ffaac55a78c 409->419 413->286 454 7ffaac559b20-7ffaac559cd0 call 7ffaac550358 413->454 418->397 476 7ffaac55a1bc-7ffaac55a32a 418->476 443 7ffaac55a78e-7ffaac55a7af 419->443 444 7ffaac55a7b4-7ffaac55a7e8 419->444 443->444 449 7ffaac55a7ef 444->449 449->449 450->297 454->295 500 7ffaac559cd6-7ffaac559cd8 454->500 476->295 522 7ffaac55a330-7ffaac55a332 476->522 501 7ffaac559cde-7ffaac559d1c 500->501 502 7ffaac55a547-7ffaac55a594 500->502 501->301 516 7ffaac559d22-7ffaac559dad 501->516 519 7ffaac55a5bc-7ffaac55a5f7 502->519 520 7ffaac55a596-7ffaac55a5b7 502->520 536 7ffaac559daf-7ffaac559df6 516->536 537 7ffaac559dfd-7ffaac559e1a 516->537 519->368 520->519 522->419 524 7ffaac55a338-7ffaac55a376 522->524 524->409 535 7ffaac55a37c-7ffaac55a3b9 524->535 536->537 537->386
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$CAL_^
                                                                    • API String ID: 0-2271745412
                                                                    • Opcode ID: 3549f6d2057b335a7c1068f5676974d4235732b9a9d24265851cf42a885a7bd2
                                                                    • Instruction ID: bfe81479bfee03ffc82980283b0c1535fdbda89a056b6ca13afff4ff7d11f461
                                                                    • Opcode Fuzzy Hash: 3549f6d2057b335a7c1068f5676974d4235732b9a9d24265851cf42a885a7bd2
                                                                    • Instruction Fuzzy Hash: 0AD252B0A68B098FEB88EB28C495779B7E6FF99300F14457DE04DD3291DE39E8458741
                                                                    Function 00007FFAAC5514E9 Relevance: 3.0, Strings: 2, Instructions: 522COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8M%$CAL_^
                                                                    • API String ID: 0-488960527
                                                                    • Opcode ID: 7622a45b0cbdb8134bceeaea4af999178031f811bcd55a0f116ed17134024a1e
                                                                    • Instruction ID: 8971b87bb53a0d84d13b78ee8c4496e11912bb4b7e9936977c7996f0aa82bb63
                                                                    • Opcode Fuzzy Hash: 7622a45b0cbdb8134bceeaea4af999178031f811bcd55a0f116ed17134024a1e
                                                                    • Instruction Fuzzy Hash: 3BF1A6B1B59A0A4FEB98EB3884556B977D6FFC9300F40497DE40EC32D2DE39A8458781
                                                                    Function 00007FFAAC557661 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 832 7ffaac557661-7ffaac55771d CheckRemoteDebuggerPresent 836 7ffaac55771f 832->836 837 7ffaac557725-7ffaac557768 832->837 836->837
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CheckDebuggerPresentRemote
                                                                    • String ID:
                                                                    • API String ID: 3662101638-0
                                                                    • Opcode ID: f29e0a252f1091cdd3839ff15aef9755cce665ab8cb1c4e15b87d903ba761438
                                                                    • Instruction ID: e24bffa385ce382744d44256e2b1506a3b3513d506623bc1ea4db646e1f87037
                                                                    • Opcode Fuzzy Hash: f29e0a252f1091cdd3839ff15aef9755cce665ab8cb1c4e15b87d903ba761438
                                                                    • Instruction Fuzzy Hash: E331227190871C8FDB58DF68C88A6E97BE0FF65321F04426BD489D7292DB34A806CB91
                                                                    Function 00007FFAAC5560B6 Relevance: .5, Instructions: 474COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8a5d1d971972e7ef566ad4b02935b74e3f5396f6eb4198e7e85bf934c22d9af
                                                                    • Instruction ID: ba34d0352c1d01a27cb852d97a3b4df0d1772028e8f26c223e2f2c6b44f9e0fe
                                                                    • Opcode Fuzzy Hash: f8a5d1d971972e7ef566ad4b02935b74e3f5396f6eb4198e7e85bf934c22d9af
                                                                    • Instruction Fuzzy Hash: 79F19430508A8E8FEBA8DF28C8557E937E1FF55310F04826EE84DC7691DF35A9458B81
                                                                    Function 00007FFAAC556E62 Relevance: .5, Instructions: 459COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75d93b6b475aae04f036b5ee3993252d3bbbc16db063b9e5f72aa218a9326bfc
                                                                    • Instruction ID: 4c0e8597d81d15fdfd62604d3f99e837d4c6d584432163d45f8197cb2d22c6fe
                                                                    • Opcode Fuzzy Hash: 75d93b6b475aae04f036b5ee3993252d3bbbc16db063b9e5f72aa218a9326bfc
                                                                    • Instruction Fuzzy Hash: AAE1C430918A8E8FEBA8DF28C8557E977D1EF55310F04826EE84DC7291DF39E9448B81
                                                                    Function 00007FFAAC551F81 Relevance: .4, Instructions: 393COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d860c93efd8bf1336d80e27eb8c27a9b7479dceaa5aeb7a2b09d8b385bb4032
                                                                    • Instruction ID: ee0d87d832a844f84765b3ba7588955b85044b054729101db1311d176c26ebca
                                                                    • Opcode Fuzzy Hash: 2d860c93efd8bf1336d80e27eb8c27a9b7479dceaa5aeb7a2b09d8b385bb4032
                                                                    • Instruction Fuzzy Hash: 06C1E460B5DA4E8FFB88EB38885577976D6EF99300F04817DE04EC32D2DE29E8458781
                                                                    Function 00007FFAAC551CFD Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cfc299ead719fb977672a587b9acf6142012a383ea7232631ed185322c41bac
                                                                    • Instruction ID: fda1c0bc381253280898cb92c8ccbe7829f1786e1e4975351e3d7ce46abfab7d
                                                                    • Opcode Fuzzy Hash: 2cfc299ead719fb977672a587b9acf6142012a383ea7232631ed185322c41bac
                                                                    • Instruction Fuzzy Hash: D2514651A5E6CA4FE786A778886567A7FD5DF47215B0844FFE08EC71E3DD084806C382
                                                                    Function 00007FFAAC55AE48 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID: oZ
                                                                    • API String ID: 2695349919-2220503751
                                                                    • Opcode ID: 7375ca3f728a2555e02bbce30537329baeab47669ffd2b1e4fdaf11c4f3332cd
                                                                    • Instruction ID: 2e798bf4388ce187feb69ee7cf14ae5a4899bbfa54b836bef10939a6b0b5f534
                                                                    • Opcode Fuzzy Hash: 7375ca3f728a2555e02bbce30537329baeab47669ffd2b1e4fdaf11c4f3332cd
                                                                    • Instruction Fuzzy Hash: 2F8127A294E7CA8FF716C76898161B97FE0EF13210B0840BFE0CDD7193D91AE9498391
                                                                    Function 00007FFAAC55AF08 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 758 7ffaac55af08-7ffaac55af50 764 7ffaac55af82-7ffaac55b030 RtlSetProcessIsCritical 758->764 765 7ffaac55af52-7ffaac55af6a 758->765 773 7ffaac55b038-7ffaac55b06d 764->773 774 7ffaac55b032 764->774 769 7ffaac55af6f-7ffaac55af81 765->769 770 7ffaac55af6c-7ffaac55af6e 765->770 769->764 770->769 774->773
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: dc9d07284b32025f0959d2f9a7c858ce68cba8953abaedcb32b8cfac37254bf8
                                                                    • Instruction ID: c3279425077840eaf5c07f3039b41903ae1c8848865c5231201780afd5103344
                                                                    • Opcode Fuzzy Hash: dc9d07284b32025f0959d2f9a7c858ce68cba8953abaedcb32b8cfac37254bf8
                                                                    • Instruction Fuzzy Hash: 83517AB180D7898FE719CB6C98556B87FE0EF12310F0441BFE0CAC3193DA259849C791
                                                                    Function 00007FFAAC55AF28 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 776 7ffaac55af28-7ffaac55af50 780 7ffaac55af82-7ffaac55b030 RtlSetProcessIsCritical 776->780 781 7ffaac55af52-7ffaac55af6a 776->781 789 7ffaac55b038-7ffaac55b06d 780->789 790 7ffaac55b032 780->790 785 7ffaac55af6f-7ffaac55af81 781->785 786 7ffaac55af6c-7ffaac55af6e 781->786 785->780 786->785 790->789
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: 2e4060b1079a597ea220c6d1fef35b6c05174be923dd174c6c2f704ac9ba9597
                                                                    • Instruction ID: de7bcc9c1802ed8694d90a1e281004be495687de667f0182d7e40f740bd57d5b
                                                                    • Opcode Fuzzy Hash: 2e4060b1079a597ea220c6d1fef35b6c05174be923dd174c6c2f704ac9ba9597
                                                                    • Instruction Fuzzy Hash: 764156B180D7898FE719DBAC88456B97FE0EF56311F0441BFE08AD3193DA25A849C791
                                                                    Function 00007FFAAC55AF38 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 792 7ffaac55af38-7ffaac55af50 795 7ffaac55af82-7ffaac55b030 RtlSetProcessIsCritical 792->795 796 7ffaac55af52-7ffaac55af6a 792->796 804 7ffaac55b038-7ffaac55b06d 795->804 805 7ffaac55b032 795->805 800 7ffaac55af6f-7ffaac55af81 796->800 801 7ffaac55af6c-7ffaac55af6e 796->801 800->795 801->800 805->804
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: 420a8b388e41f99ed1cf914839b6d05962b754b9cc5b612970f0cff5cd3e6f92
                                                                    • Instruction ID: 5f4b459abb91ebeb03fe64c34d52ca6b4b352801e87ca8a3da910ff211dd93aa
                                                                    • Opcode Fuzzy Hash: 420a8b388e41f99ed1cf914839b6d05962b754b9cc5b612970f0cff5cd3e6f92
                                                                    • Instruction Fuzzy Hash: 924156B180D7898FE719DBA888456F97FE0EF56310F04416FE08AD3293DA25A849C791
                                                                    Function 00007FFAAC55BE18 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 807 7ffaac55be18-7ffaac55be1f 808 7ffaac55be21-7ffaac55be29 807->808 809 7ffaac55be2a-7ffaac55be9d 807->809 808->809 813 7ffaac55bf29-7ffaac55bf2d 809->813 814 7ffaac55bea3-7ffaac55bea8 809->814 815 7ffaac55beb2-7ffaac55beef SetWindowsHookExW 813->815 816 7ffaac55beaf-7ffaac55beb0 814->816 817 7ffaac55bef1 815->817 818 7ffaac55bef7-7ffaac55bf28 815->818 816->815 817->818
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 5a3c9fdcf6944058eb563f2dcf6d3bd7ec485dc603f8cb91dd36915038d8bb62
                                                                    • Instruction ID: 6951ff1fee92a7b7e9f2d2875eda06828d6a559137c0cc63cd14b3a965594e63
                                                                    • Opcode Fuzzy Hash: 5a3c9fdcf6944058eb563f2dcf6d3bd7ec485dc603f8cb91dd36915038d8bb62
                                                                    • Instruction Fuzzy Hash: F0411C31A0CA5D8FDB58DB6CD80A6F9BBE1EB55311F04427ED00DC3192CE65A85587C1
                                                                    Function 00007FFAAC55AF58 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 821 7ffaac55af58-7ffaac55af6a 823 7ffaac55af6f-7ffaac55b030 RtlSetProcessIsCritical 821->823 824 7ffaac55af6c-7ffaac55af6e 821->824 829 7ffaac55b038-7ffaac55b06d 823->829 830 7ffaac55b032 823->830 824->823 830->829
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: 164e9eaa1204ad00f3843b4e1fc45b08f76b31eab3de0425fa887eff07d821a0
                                                                    • Instruction ID: 07c5fc55d3309e1eac76399b462f90fef249235588482ee2e4face0a9aec5c83
                                                                    • Opcode Fuzzy Hash: 164e9eaa1204ad00f3843b4e1fc45b08f76b31eab3de0425fa887eff07d821a0
                                                                    • Instruction Fuzzy Hash: C541157180C7898FDB29DBACD8496F97FF0EF56311F04416FE08AD3292DA25A846C791
                                                                    Function 00007FFAAC55AF68 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 839 7ffaac55af68-7ffaac55b030 RtlSetProcessIsCritical 845 7ffaac55b038-7ffaac55b06d 839->845 846 7ffaac55b032 839->846 846->845
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: 2a9a86c87a96b145c0626e3c7d03c3e9cf35f4db0ea41fcb6eaee55423dfb013
                                                                    • Instruction ID: a386db72ae2f57488e4fd84f6b7d7fc691c98029c489adc9dec0fd610e9a45c0
                                                                    • Opcode Fuzzy Hash: 2a9a86c87a96b145c0626e3c7d03c3e9cf35f4db0ea41fcb6eaee55423dfb013
                                                                    • Instruction Fuzzy Hash: 5F31D57190C7588FDB29DF5CD8496F97BF0EF56311F04412EE08AD3692DB24A846CB91

                                                                    Non-executed Functions

                                                                    Function 00007FFAAC5510BD Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e74e196d6157fdcd5dc0483e0bc440c013b4bf0547bc191f6e7712565803e7b
                                                                    • Instruction ID: 4ed773efda28283b16d245a03f95ac3d023b8f162f8178012a530393afa4191d
                                                                    • Opcode Fuzzy Hash: 5e74e196d6157fdcd5dc0483e0bc440c013b4bf0547bc191f6e7712565803e7b
                                                                    • Instruction Fuzzy Hash: 0681F573E0D5A64BE712B7BDF4614EA7F20DF433B570885BBD189DA0B38C09604A8AD5
                                                                    Function 00007FFAAC5510E0 Relevance: .2, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2550623329.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffaac550000_gs7lQa4EuM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a193f19acbceb759dbc56947f376779f4027511161f30a2d5ac1d57a7a449f46
                                                                    • Instruction ID: cac1237aafc23c196229486e9598ddfaf2d124d81687d2ccdd3799f700e26473
                                                                    • Opcode Fuzzy Hash: a193f19acbceb759dbc56947f376779f4027511161f30a2d5ac1d57a7a449f46
                                                                    • Instruction Fuzzy Hash: 9B51D1B3D0D16A47E751B6BDB4624E93B20DF473B97088577D08EEE1B38C09608A8AD5

                                                                    Executed Functions

                                                                    Function 00007FFAAC5294FA Relevance: 2.9, Strings: 2, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: P^7$^7
                                                                    • API String ID: 0-3639319594
                                                                    • Opcode ID: 4a5ac8a3db83f3701f4e7d7fbbabef7bc82ef05ca8c15f7729854f74bc0a26f5
                                                                    • Instruction ID: 8df2446c2edbced5c00af70afc6a126f2cd2cb62414ac2066256b43ef53a272b
                                                                    • Opcode Fuzzy Hash: 4a5ac8a3db83f3701f4e7d7fbbabef7bc82ef05ca8c15f7729854f74bc0a26f5
                                                                    • Instruction Fuzzy Hash: 40D10B62A4EBC74FF31697685C555A97FE0EF53210F0881BBE08D87293FD19A80987D2
                                                                    Function 00007FFAAC5F6605 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400724145.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: X7^g
                                                                    • API String ID: 0-4181167973
                                                                    • Opcode ID: 92cd4b46acbecf4c7fe3ea744cae543c683706e0ea778e4e2ba3e231a80f46d0
                                                                    • Instruction ID: d7c7f197757a674659b99c97fec328ce7f16eb85790ba3d8f1ddea21fe78f40b
                                                                    • Opcode Fuzzy Hash: 92cd4b46acbecf4c7fe3ea744cae543c683706e0ea778e4e2ba3e231a80f46d0
                                                                    • Instruction Fuzzy Hash: 3FC135A290EB8A9FE799AB6888555B57BE5FF46310B0441BEE04DC70D3DE18D80983C2
                                                                    Function 00007FFAAC529EFB Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2618e8cd8bcc148ebce321cba252c16960e1efa0c232c33500b72c30b886cbf8
                                                                    • Instruction ID: f5165444e597e27617997503daecd4650ab71f99e1cc8500000e02018249d5b1
                                                                    • Opcode Fuzzy Hash: 2618e8cd8bcc148ebce321cba252c16960e1efa0c232c33500b72c30b886cbf8
                                                                    • Instruction Fuzzy Hash: DC8140B3D4D6878BF396676C94B24F97BD4DF03354B0C8572E08C9A1A3FD18A40946D1
                                                                    Function 00007FFAAC40E380 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1399788476.00007FFAAC40D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac40d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2c641db4177494ed6c4594cde4edf508c1c8ccb1182e8562bc0617f21dcad7a
                                                                    • Instruction ID: 7368650a7477f330a7677a9249e3cc9d0150558ae1fb8d2bee52c7b9a6a3331e
                                                                    • Opcode Fuzzy Hash: c2c641db4177494ed6c4594cde4edf508c1c8ccb1182e8562bc0617f21dcad7a
                                                                    • Instruction Fuzzy Hash: 6541E37180EBC49FE7968B29A8459523FF0EF52314B1541EFD0C8CB1A3D629E81AC792
                                                                    Function 00007FFAAC52A47C Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1aea64aa3d68f6acbb48dd422d0bfd36bbe5943ad62d65419acae5480d5862a
                                                                    • Instruction ID: 1d6e15585f6d3af2a1adcd5f3edec80be2e836f2c813477030082e1e29294c75
                                                                    • Opcode Fuzzy Hash: d1aea64aa3d68f6acbb48dd422d0bfd36bbe5943ad62d65419acae5480d5862a
                                                                    • Instruction Fuzzy Hash: E7210A3090C74C8FEB59DB6C984A7EA7FF0EB9A321F04426FD049C3152DA74A45ACB91
                                                                    Function 00007FFAAC5233B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction ID: f342bc515fce9057003a071d110a7146fe1502a78f418478467f2a9d9d6bdce8
                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction Fuzzy Hash: 1B01677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                    Function 00007FFAAC5F414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400724145.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f484cf598ac05e0d37e4c22f60921bfdaead991e001788cc088ac51319e33f17
                                                                    • Instruction ID: 03454c4e2cb7adb165d569d7f8e92b4c32f2b85bd2568c37d187bd471c7e9d3d
                                                                    • Opcode Fuzzy Hash: f484cf598ac05e0d37e4c22f60921bfdaead991e001788cc088ac51319e33f17
                                                                    • Instruction Fuzzy Hash: 7FF09A32A4DA458FE759EB5CE4418E877E4EF5532071580BAE05EC75A3CA29EC448780
                                                                    Function 00007FFAAC5F4400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400724145.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 042646f9214d5cd9174a9f250d0f441ea544f2f87ccd7420177a4d7a6ac4fcb6
                                                                    • Instruction ID: c020f57253d6d0f3ae19abcc2229dc8effbad2291d1d039d9b159eff893535d8
                                                                    • Opcode Fuzzy Hash: 042646f9214d5cd9174a9f250d0f441ea544f2f87ccd7420177a4d7a6ac4fcb6
                                                                    • Instruction Fuzzy Hash: 5EF09A32A4D6458FE758EB1CE0458A877E0FF0532071580B6E08ECB463CA2AEC448780
                                                                    Function 00007FFAAC5F41D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400724145.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: 635bb66fa1d49dc6777b9da6cbd95241cf89918d2ebac87f22ab65b774c3ecdf
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 2BE01A31B4C909CFEB68DB0CE040DA973E5EB9932171181B7E14EC7561CB22EC559BC0

                                                                    Non-executed Functions

                                                                    Function 00007FFAAC528995 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_^$N_^$N_^$N_^
                                                                    • API String ID: 0-1196809394
                                                                    • Opcode ID: a036f3dcb76b2985d1a8ab625e3162132d572720b8176e5acc65b869fad1a27d
                                                                    • Instruction ID: 925528ac3ad86d1d27c10af62cb43e50f35048482d373999f27a1602a16abd95
                                                                    • Opcode Fuzzy Hash: a036f3dcb76b2985d1a8ab625e3162132d572720b8176e5acc65b869fad1a27d
                                                                    • Instruction Fuzzy Hash: DE41619394F7C38BF35A53A848651A56FE4EF53364B0D81F6E18C8B093FE1D984A4392
                                                                    Function 00007FFAAC5289FA Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_^$N_^$N_^$N_^
                                                                    • API String ID: 0-1196809394
                                                                    • Opcode ID: 0349a937024b9809f5c3d6a76c3519ec6039dc86604ddf7609c338b2ce6b775d
                                                                    • Instruction ID: d80a293cc3ed99e17495e11a81dcf333d65649ebf29cc7387b7fd38fdd0c279e
                                                                    • Opcode Fuzzy Hash: 0349a937024b9809f5c3d6a76c3519ec6039dc86604ddf7609c338b2ce6b775d
                                                                    • Instruction Fuzzy Hash: D5318F9394E7C38BF65A539848651A46FE4EF53374B0D81F2E18C87093FE19A80A8292
                                                                    Function 00007FFAAC52044D Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1400246986.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (08$8,8$p08$/8
                                                                    • API String ID: 0-2069709940
                                                                    • Opcode ID: 8306c73411107ee9467fc4a69c0d193fc35ca5279d78b56618e4477cb377eba5
                                                                    • Instruction ID: 3ac40a9701e16ccac9d14ced39d90f3c20ac31452b405eac306c158506dc2500
                                                                    • Opcode Fuzzy Hash: 8306c73411107ee9467fc4a69c0d193fc35ca5279d78b56618e4477cb377eba5
                                                                    • Instruction Fuzzy Hash: 21317CA394F7C28FF31657B818250696EE49F9360071884FBE0CC8A5DBA409DD0CC3D6

                                                                    Executed Functions

                                                                    Function 00007FFAAC52644D Relevance: .7, Instructions: 737COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3297bb393c3ce31f51fd4285067ea7cbebeb4ad1a2c8e9946518abf859ed0217
                                                                    • Instruction ID: 0a06d81b14add4aabe5cce817385cf6161a42bbdfb4e076be5f88117bc8da963
                                                                    • Opcode Fuzzy Hash: 3297bb393c3ce31f51fd4285067ea7cbebeb4ad1a2c8e9946518abf859ed0217
                                                                    • Instruction Fuzzy Hash: 78D15D31A18A4E8FEB84DF58C455AA97BE1FF69300F14816AE40DD7296DE34E885CBC1
                                                                    Function 00007FFAAC5F6605 Relevance: .4, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1517029772.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5d7fffc74e8a2b1946a3dc8fc6b8aedaaa3296b70cf796f36ec4073fe6ff3bd
                                                                    • Instruction ID: 523bda7551ef0f6db441e0e8c909429395756dfc178fac3a3d907376dc30f1eb
                                                                    • Opcode Fuzzy Hash: a5d7fffc74e8a2b1946a3dc8fc6b8aedaaa3296b70cf796f36ec4073fe6ff3bd
                                                                    • Instruction Fuzzy Hash: 3BC155B690EB8B9FFB99AB6888155B57BE4EF46310B0441BEE04DC70D3DE18D80983C1
                                                                    Function 00007FFAAC52A7E6 Relevance: .2, Instructions: 202COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57b21b9220c885c58d9ea3948b42b89af4082af9184c084e7c291832cb0187ec
                                                                    • Instruction ID: 7f5a0176db9aac7faf340fde6ae9ad9654dc61cc4b6dcfda26d2cd5f167d5190
                                                                    • Opcode Fuzzy Hash: 57b21b9220c885c58d9ea3948b42b89af4082af9184c084e7c291832cb0187ec
                                                                    • Instruction Fuzzy Hash: 8251E67190DB868FF34ADB2888955647FE0EF56314B0841BEE48DCB197ED15E80BC792
                                                                    Function 00007FFAAC529885 Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbe2202a8fc59e0da0b3650cfb06deeaebcbc795a9202f8153a2f0c043dd552a
                                                                    • Instruction ID: c62606eccad2af328c82a78b2baf1d3e081e497dcaff88f0002f3fa2ee0b4188
                                                                    • Opcode Fuzzy Hash: cbe2202a8fc59e0da0b3650cfb06deeaebcbc795a9202f8153a2f0c043dd552a
                                                                    • Instruction Fuzzy Hash: 5651C931A1CB488FDB1CDF5C98466A8BBE0FB59721F00422FE04993651DB75B856CBC2
                                                                    Function 00007FFAAC52A80C Relevance: .2, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d823084438d26bbd0b158eebc23c5cef0ff2b8f6ab1788acbd539f0bcf7745ce
                                                                    • Instruction ID: 3042f0c4de911c6dd4c4b4549994f9110f8b6745e3e52e6da38cc5ce10c5779d
                                                                    • Opcode Fuzzy Hash: d823084438d26bbd0b158eebc23c5cef0ff2b8f6ab1788acbd539f0bcf7745ce
                                                                    • Instruction Fuzzy Hash: 4541367160DB468FE748DB28C855975BBE0EF96310B0444BEE48EC7293E929EC4BC781
                                                                    Function 00007FFAAC529760 Relevance: .1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3393a6c589347aa202366485d5558a51d57bca70da4b8fa6d427fb23e41333f
                                                                    • Instruction ID: 5f513ab01213dc4594c78fdb493fbac49e3ce8838edb1f44035a9155a526da2a
                                                                    • Opcode Fuzzy Hash: e3393a6c589347aa202366485d5558a51d57bca70da4b8fa6d427fb23e41333f
                                                                    • Instruction Fuzzy Hash: F1410F7190DB898FE7599F5C9C065E97FE0FB66310F04426FE48DC3292DA64A815C7C2
                                                                    Function 00007FFAAC40EE20 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1515409470.00007FFAAC40D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac40d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f7c2d5c05b84f3f8dd4f9ce94af33a9af3eab517794e7e795909757422e4e5c
                                                                    • Instruction ID: 2016d27ee2ff4dda760a3c65c1512223cf9ad46452956cab592dde4d7274ae0d
                                                                    • Opcode Fuzzy Hash: 2f7c2d5c05b84f3f8dd4f9ce94af33a9af3eab517794e7e795909757422e4e5c
                                                                    • Instruction Fuzzy Hash: 2D41077140EBC49FE7968B28A8459523FF0EF53224B1505DFD0C8CB1A3D629E84AC7D2
                                                                    Function 00007FFAAC52A49C Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 045be31bf3c041b919425d216e1dbe05f9dbd9d950d86450fbbfff91d60bbdfe
                                                                    • Instruction ID: 96903784ec0e4a3b3897a7d3b7ee6151f7a9e341dc32915fa1736b941a61e1bd
                                                                    • Opcode Fuzzy Hash: 045be31bf3c041b919425d216e1dbe05f9dbd9d950d86450fbbfff91d60bbdfe
                                                                    • Instruction Fuzzy Hash: 86313B7190C74C8FEB58DB6C984A6E9BBE0EB96330F04416FD049C3152D675A41ACB91
                                                                    Function 00007FFAAC5233B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction ID: f342bc515fce9057003a071d110a7146fe1502a78f418478467f2a9d9d6bdce8
                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction Fuzzy Hash: 1B01677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                    Function 00007FFAAC5F414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1517029772.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bafe33063b0ce63ca64a86c205731e41a037d80325a5ace35a4a7e5824260aad
                                                                    • Instruction ID: 4eeb3e6a64a7c5e0c9425adcdb98f09ba028c11bea88bff446206683fb2d8af8
                                                                    • Opcode Fuzzy Hash: bafe33063b0ce63ca64a86c205731e41a037d80325a5ace35a4a7e5824260aad
                                                                    • Instruction Fuzzy Hash: FCF09A32A4DA458FE758EB5CE4418E877E4EF55320B1580BAF05EC75A3CA29EC448780
                                                                    Function 00007FFAAC5F4400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1517029772.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d2ad8a5d634ac3402519ec7d58a15b9c21107c5184c1e73a183112488507bdf
                                                                    • Instruction ID: 663edfb2c8a6c6893db77cda325e8a8bd06d44d2bc368267f99bbd4417f82db5
                                                                    • Opcode Fuzzy Hash: 1d2ad8a5d634ac3402519ec7d58a15b9c21107c5184c1e73a183112488507bdf
                                                                    • Instruction Fuzzy Hash: 32F03A32A8D6458FE758EB5CE4458A877E0FF45320B5580B6F18ECB463DA2AEC448790
                                                                    Function 00007FFAAC5F41D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1517029772.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac5f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: 635bb66fa1d49dc6777b9da6cbd95241cf89918d2ebac87f22ab65b774c3ecdf
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 2BE01A31B4C909CFEB68DB0CE040DA973E5EB9932171181B7E14EC7561CB22EC559BC0
                                                                    Function 00007FFAAC52A113 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80140f74b68d82486acc20b59176f902eee69f922d174e1ea4ff62759da2bcf6
                                                                    • Instruction ID: 973ed263dd0232f19ab4da9184c1c5b756c289e161fafe21c996fed82f6a43df
                                                                    • Opcode Fuzzy Hash: 80140f74b68d82486acc20b59176f902eee69f922d174e1ea4ff62759da2bcf6
                                                                    • Instruction Fuzzy Hash: 48E0E531848A8D8FDB84DF18C81A4A57FE0FF25201B00019BE40CC3120EB21D958CBC1

                                                                    Non-executed Functions

                                                                    Function 00007FFAAC5289F2 Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1516279032.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaac520000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_^$N_^$N_^$N_^$N_^)
                                                                    • API String ID: 0-2116595195
                                                                    • Opcode ID: 1a5ace7d02389b4487bab091a1c6cf97edddd59742e68ad349a1753028153469
                                                                    • Instruction ID: 82d54407579c9d9cd91f04beb491a4d32a7b39b11099f76374d4d7eaa31f9e24
                                                                    • Opcode Fuzzy Hash: 1a5ace7d02389b4487bab091a1c6cf97edddd59742e68ad349a1753028153469
                                                                    • Instruction Fuzzy Hash: 7961B4B390E7878BF30A57B898751A56FD4EF5332470981F6D08D8B4A3ED19644A86C2

                                                                    Executed Functions

                                                                    Function 00007FFAAC626605 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1673704747.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac620000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: X7"9
                                                                    • API String ID: 0-4134454636
                                                                    • Opcode ID: c6eb0d9bd5a4ac2497860b636101571a79dd9eabeec3a3c87512a3517126cab4
                                                                    • Instruction ID: d3a037c12858792096204874fc70ebc66915dbbc1485976d383bb506728aef03
                                                                    • Opcode Fuzzy Hash: c6eb0d9bd5a4ac2497860b636101571a79dd9eabeec3a3c87512a3517126cab4
                                                                    • Instruction Fuzzy Hash: 12C159B2D0EB8A8FF756DB2898155B5BBE0EF56310B0451BEE04DC71D3EA18DC098392
                                                                    Function 00007FFAAC559F9B Relevance: .2, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1672765116.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac550000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a2bf01c950faa59d6260cb5a03434123783a8dd74c888c4168bc0d93fd4d1c71
                                                                    • Instruction ID: b4df1da338a09a01f3e895375b812447f2095f7e59493ced73f549297f7f5943
                                                                    • Opcode Fuzzy Hash: a2bf01c950faa59d6260cb5a03434123783a8dd74c888c4168bc0d93fd4d1c71
                                                                    • Instruction Fuzzy Hash: FC51DDB784E6CB4FF742676CE8A24F53F64EF53218B0C42B6D08CDA163EC19945A46C1
                                                                    Function 00007FFAAC43ED40 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1671819842.00007FFAAC43D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac43d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc45b4f3f0552f0e9df23b656fdf49024a89d0f873e55874d65a6571954340bf
                                                                    • Instruction ID: 6292322f82be5f70e921e4d55854463021d89757ea1edd41a49d5426048c7a82
                                                                    • Opcode Fuzzy Hash: fc45b4f3f0552f0e9df23b656fdf49024a89d0f873e55874d65a6571954340bf
                                                                    • Instruction Fuzzy Hash: A041263041EBC48FE7579B2898459523FF0EF97324B1901DFD088CB1A3D625E84AC792
                                                                    Function 00007FFAAC559789 Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1672765116.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac550000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d1778088f3efe70002fe62d22916243f4bfeb6c22fd81584d282e68ae7786f1
                                                                    • Instruction ID: d54d1540067bd0ea72c4168a2408987e874435d730ad55bc3ea296611019ffdf
                                                                    • Opcode Fuzzy Hash: 4d1778088f3efe70002fe62d22916243f4bfeb6c22fd81584d282e68ae7786f1
                                                                    • Instruction Fuzzy Hash: 0331957191CB4C8FDB5CDB5CA84A6E97BE0FB99311F00422FE449D3251CA71A8558BC2
                                                                    Function 00007FFAAC55A47C Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1672765116.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac550000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb3a033946ad87300bad09963afbb70ddb38a23916e69ae82456e0c46327fa24
                                                                    • Instruction ID: 1bd2081e945e6741f1ef85b3fd30fbe8c9df7b2d2a4c99eda089d548f5656c6c
                                                                    • Opcode Fuzzy Hash: eb3a033946ad87300bad09963afbb70ddb38a23916e69ae82456e0c46327fa24
                                                                    • Instruction Fuzzy Hash: 5121283190CB4C8FEB59DBAC984A7E97FE0EBA6320F04416FD048C3162DA74941ACB91
                                                                    Function 00007FFAAC5533B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1672765116.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac550000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction ID: de0ad4a6b3d747fbf02170dd759d92f3cdde3e00cdea71f3bd1e496c2a3ba695
                                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction Fuzzy Hash: 7E01677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                    Function 00007FFAAC62414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1673704747.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac620000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d39cd7bd42d9493500b21c9d82ad64dbe98d7ebddcbc5df83ce69e91726238f5
                                                                    • Instruction ID: f80c6f80b515690fc4afb925f0f638c88b26029f6b52764f0315fabaf7817758
                                                                    • Opcode Fuzzy Hash: d39cd7bd42d9493500b21c9d82ad64dbe98d7ebddcbc5df83ce69e91726238f5
                                                                    • Instruction Fuzzy Hash: 48F0BE32A0D9048FE759EB5CE4458F8B7E0EF55360B1550BAE05EC75A3DE25EC44C780
                                                                    Function 00007FFAAC624400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1673704747.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac620000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cdbb9ad172a1a89cd73fa2300b123f85fee859969d9140bbc29125b4fc48cee
                                                                    • Instruction ID: 50045be43b3e8aa5c869f24d1b254e9ae8793a0a7ff2fc2f7a62bed5f2addbd8
                                                                    • Opcode Fuzzy Hash: 0cdbb9ad172a1a89cd73fa2300b123f85fee859969d9140bbc29125b4fc48cee
                                                                    • Instruction Fuzzy Hash: 5BF08232A0D5448FE759EB5CE4419E8BBE0FF45320B5560B6E14ECB463DA25EC44C790
                                                                    Function 00007FFAAC6241D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1673704747.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac620000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: bc8c278daae929def9611b568d391ac05cb36f07f469423249f3519339791733
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 24E01A31B0C809CFEA69DB0CE0449B9B3E1EB9936171161B7D14EC7561DA22EC559BC0

                                                                    Non-executed Functions

                                                                    Function 00007FFAAC550585 Relevance: 7.6, Strings: 6, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1672765116.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffaac550000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (08$8,8$H18$P/8$-8$/8
                                                                    • API String ID: 0-3186795746
                                                                    • Opcode ID: 1e1203e2468029da0d42338b313549fb1563e48179778ebe5c0ad61513351000
                                                                    • Instruction ID: c6c327e781dae6c09a77b942143fa4586c811d3870b851aaf48995ce5292fb1c
                                                                    • Opcode Fuzzy Hash: 1e1203e2468029da0d42338b313549fb1563e48179778ebe5c0ad61513351000
                                                                    • Instruction Fuzzy Hash: 57315C8694F7C68FF3664B7408191A56FE5AFD7640B1880FEE0C80A9DB985AD90DC3C5

                                                                    Executed Functions

                                                                    Function 00007FFAAC54644D Relevance: .7, Instructions: 737COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db4134f3a44113b37074761cde43fa601c124f6c22c5fd77c206bc85b56b55cf
                                                                    • Instruction ID: 8e16b8a8a8225633bc276de406a75bdb8468784c5468daa9edfa38119fed0599
                                                                    • Opcode Fuzzy Hash: db4134f3a44113b37074761cde43fa601c124f6c22c5fd77c206bc85b56b55cf
                                                                    • Instruction Fuzzy Hash: 4AD14F30958A4E8FEF88DF58C455AA97BE2FF59300F14816AE40DD7296CE34E885CBC1
                                                                    Function 00007FFAAC616605 Relevance: .4, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1887877253.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac610000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6dd858cba54fd46ca58917bec8ad5813eba0f45f0161733944feae59be8a8dc2
                                                                    • Instruction ID: 91165ae7d144047d19e276394e0b48246fce3328a1c93c27085d25b12c24decd
                                                                    • Opcode Fuzzy Hash: 6dd858cba54fd46ca58917bec8ad5813eba0f45f0161733944feae59be8a8dc2
                                                                    • Instruction Fuzzy Hash: 5BC155AA90EB8A8FFB96DB6888155B57BE1FF46311B0451BEE04DC70D3DE18D809C391
                                                                    Function 00007FFAAC54A00B Relevance: .4, Instructions: 360COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 306e764ce0989db70f432a2da4b67899ed6d1916f01ab28769ba0c47475a3f77
                                                                    • Instruction ID: bf55f5b11aba7284540f98865b684635386cb3c86e051446da5a46d2c2f11c3f
                                                                    • Opcode Fuzzy Hash: 306e764ce0989db70f432a2da4b67899ed6d1916f01ab28769ba0c47475a3f77
                                                                    • Instruction Fuzzy Hash: C851A7B694D2C64FE782A77CE8720E53F60DF53265B0885B3D08CDA1B3ED19944987D2
                                                                    Function 00007FFAAC549885 Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7206b3aadd90d5c5b58fae105fae25062640df2e87d878edbd1c3624edfaa0fb
                                                                    • Instruction ID: ebc114152788a21594c0b1c314de4dab129915c89519875b4ab7ae901f6a19fd
                                                                    • Opcode Fuzzy Hash: 7206b3aadd90d5c5b58fae105fae25062640df2e87d878edbd1c3624edfaa0fb
                                                                    • Instruction Fuzzy Hash: E851D830A1CB488FDB1C9F5CE8466A8BBE1FB59321F00822FE049D3651CB75A456CBC2
                                                                    Function 00007FFAAC54A64C Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc2bf967a33ac88b3a0fbc735ff21c12cde2de837f73c562651ee457a3d02752
                                                                    • Instruction ID: a8b5fa2869df209eeb8a84a9b25e9b16a530bd4a8949014ea34c2e897f935224
                                                                    • Opcode Fuzzy Hash: cc2bf967a33ac88b3a0fbc735ff21c12cde2de837f73c562651ee457a3d02752
                                                                    • Instruction Fuzzy Hash: 0931287190CB4C8FEB58DB6CE84A6E97FE0EB96330F04816FD049C3152D675A45ACB91
                                                                    Function 00007FFAAC42ED40 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1885115628.00007FFAAC42D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac42d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 745d00fbb11276d833e2ce38c8defc4618810185422fd56b6c3cc274aa425f5c
                                                                    • Instruction ID: ea7c69ec1f0cfa7e5d01e3a9bd1784fc3efa1c101f20460050dff5dba85767bd
                                                                    • Opcode Fuzzy Hash: 745d00fbb11276d833e2ce38c8defc4618810185422fd56b6c3cc274aa425f5c
                                                                    • Instruction Fuzzy Hash: CA41267040EBC48FE756DB2898569523FF4EF57324B1905DFD088CB1A3E629E84AC792
                                                                    Function 00007FFAAC5497A9 Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18fe9d7b03f472f9e76729c60b56a3309ae21a1dd16c78fc97ab8888685c82f3
                                                                    • Instruction ID: 0afab7f72010f1c2fe0bf7e1a5c48066545f9136d796863a56fa398dc828b3df
                                                                    • Opcode Fuzzy Hash: 18fe9d7b03f472f9e76729c60b56a3309ae21a1dd16c78fc97ab8888685c82f3
                                                                    • Instruction Fuzzy Hash: 4E31B37091CB4C8FDB1CDB5CE84A6A97BE0FB99321F00822FE449D3251CA71A855CBC2
                                                                    Function 00007FFAAC54A718 Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 46bb5b7a4c9c0dd5ad3cf25d733a55eb41e03d0e2e16a003963a96b32716a54d
                                                                    • Instruction ID: 76352bdf937dd45ed67cbf18d62d3f0f674c67170e708d2cb4ad45ff103db51c
                                                                    • Opcode Fuzzy Hash: 46bb5b7a4c9c0dd5ad3cf25d733a55eb41e03d0e2e16a003963a96b32716a54d
                                                                    • Instruction Fuzzy Hash: F8215531A4CA4A4FFBD9D76CE4453B47BD1EB96220B0481BBD00DC3592DD59E84A8780
                                                                    Function 00007FFAAC5433B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction ID: 98403c716896f62693744d5781d30824f341bb729d05c6577307368af41d7808
                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction Fuzzy Hash: 3001A77115CB0C8FD744EF0CE051AA5B3E0FB85320F10052DE58AC3661DA32E882CB41
                                                                    Function 00007FFAAC61414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1887877253.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac610000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dcb45fc4a5d4b31ff00302650ceab685dc44814d7680b0004e8c2af33b72d5cf
                                                                    • Instruction ID: 55e5a983b1fbc02db284eb62899622cb6c0a000315a8833ce4eba0fbeea8970c
                                                                    • Opcode Fuzzy Hash: dcb45fc4a5d4b31ff00302650ceab685dc44814d7680b0004e8c2af33b72d5cf
                                                                    • Instruction Fuzzy Hash: CCF09A32A0D9058FE659EB5CE4428E877E0EF5632171550BAE05EC75A3CA25EC44C780
                                                                    Function 00007FFAAC614400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1887877253.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac610000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2279dac4bcbe67d415af876ecc600b70a5bb8bcee44a073adc55eedecbec58f0
                                                                    • Instruction ID: 1afc1290032fbb81d6f566df24202b20c67ab835793031fe40428351254fdd46
                                                                    • Opcode Fuzzy Hash: 2279dac4bcbe67d415af876ecc600b70a5bb8bcee44a073adc55eedecbec58f0
                                                                    • Instruction Fuzzy Hash: 0FF0EC32A0D5488FE759EB1CE0818E877E0FF06321B1560F6E04ECB4A3CA2AEC44C790
                                                                    Function 00007FFAAC6141D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1887877253.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac610000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: 9c2087321d813b1f7dae2d5dffada7a37a640de820fae64f40db8f04aa7c31d7
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 22E01A31B0C809CFEA69DB0CE0419F973E1EB9933271161B7D14EC7561CA22EC559BC0

                                                                    Non-executed Functions

                                                                    Function 00007FFAAC5489F2 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1886523232.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: L_^$L_^$L_^$L_^$L_^)
                                                                    • API String ID: 0-928100221
                                                                    • Opcode ID: f2ff8d2b3412cdbf1dcd75d434fb73cf90ec5741ed5bcbb94a2ef9b561c2e898
                                                                    • Instruction ID: 807b4693fc8ea51e87f1a20c943e32488935f5c881785e4738d0818bec4b3823
                                                                    • Opcode Fuzzy Hash: f2ff8d2b3412cdbf1dcd75d434fb73cf90ec5741ed5bcbb94a2ef9b561c2e898
                                                                    • Instruction Fuzzy Hash: 415107A394E7838BF31A5769D8660E52FD5EF1332470D81F2E09CCF0A3DD18A44A46C2

                                                                    Executed Functions

                                                                    Function 00007FFAAC5414E9 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8M%
                                                                    • API String ID: 0-1690249272
                                                                    • Opcode ID: 3048f8be20826275a2d7c47353acaa626960fdefa7a92836c4fc5a29174712e7
                                                                    • Instruction ID: c1faa8adb16eb069c19a51d6a178162b8a6211d78766c1466b585b30b5f04af3
                                                                    • Opcode Fuzzy Hash: 3048f8be20826275a2d7c47353acaa626960fdefa7a92836c4fc5a29174712e7
                                                                    • Instruction Fuzzy Hash: F8F1B671B98A4A4FE794EB38C4597B977E2FF99300F504879E44EC32D2DE28E8458781
                                                                    Function 00007FFAAC541070 Relevance: .4, Instructions: 442COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6967641e40be33155f6c72690945265da1f4a83ab84182cc71cb626734bc9ae
                                                                    • Instruction ID: 80e7f073b4998a5308dd6f889c20e2ca02ef230c9fbd3c595413261dcd5e6c66
                                                                    • Opcode Fuzzy Hash: a6967641e40be33155f6c72690945265da1f4a83ab84182cc71cb626734bc9ae
                                                                    • Instruction Fuzzy Hash: F9A1E0B7D4D16A8BE740B7BCE4615E97B60DF47375B0886B7E08DDA1B3CC08644A8AD0
                                                                    Function 00007FFAAC541CFD Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 641ac8c562803ade6ba46543551672060313753604698d7bdfd7f94e676c5543
                                                                    • Instruction ID: 3498388481877c9ed7e23b7b2a5ce11f997c4a2e867d503d1a74f90b0feab0d8
                                                                    • Opcode Fuzzy Hash: 641ac8c562803ade6ba46543551672060313753604698d7bdfd7f94e676c5543
                                                                    • Instruction Fuzzy Hash: C1514651A9E6CA4FE786A77888256B67FD5DF47215B0841FBE08EC71E3DD084806C382
                                                                    Function 00007FFAAC5407F2 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;M_$<M_^
                                                                    • API String ID: 0-3421805066
                                                                    • Opcode ID: 54be33fe119341339cfecae107bcd8388d2e8ba77a54ddd0d701649541dce9db
                                                                    • Instruction ID: c80a25e7de65b01c266d63ed0574fb864dd5fd34ca877c09cca230920b4b091b
                                                                    • Opcode Fuzzy Hash: 54be33fe119341339cfecae107bcd8388d2e8ba77a54ddd0d701649541dce9db
                                                                    • Instruction Fuzzy Hash: 03413BB664968E8FD780EB7CD0A1AE93FE1FF952007608576D00DCB3A3DE285909C790
                                                                    Function 00007FFAAC540AFA Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HB%
                                                                    • API String ID: 0-81579929
                                                                    • Opcode ID: c4c8d4003786f11fafbd902c73981ea17f8d71f2b38d54cbc45f77a6bc37e518
                                                                    • Instruction ID: 16880af1b44d5d683133695bfe7c5276ccc18702ae99a96e6b1d71734d9da2b8
                                                                    • Opcode Fuzzy Hash: c4c8d4003786f11fafbd902c73981ea17f8d71f2b38d54cbc45f77a6bc37e518
                                                                    • Instruction Fuzzy Hash: 4951D7B6A4951E8BEB40BB7CE4515EC73E1EF95325B10867AD00DC72A3CE38A4458794
                                                                    Function 00007FFAAC540B6F Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HB%
                                                                    • API String ID: 0-81579929
                                                                    • Opcode ID: f9cd528be37224121e372d7347005d5f980b736eb9ef3cc7a2ce42012d5fe0e6
                                                                    • Instruction ID: 21849516c629ad4d8c4057e5ca5c96ce6671423d7f16d65554cf6e84aa5c7cae
                                                                    • Opcode Fuzzy Hash: f9cd528be37224121e372d7347005d5f980b736eb9ef3cc7a2ce42012d5fe0e6
                                                                    • Instruction Fuzzy Hash: FF41F476A4991E8FEB40FB7CD8516ED77E2FF99311B504679D009C7292CE38A446C780
                                                                    Function 00007FFAAC541EB1 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8e%
                                                                    • API String ID: 0-1390493536
                                                                    • Opcode ID: 14364f5e4ee4965806bd4591f928651c73ca2f88df1fe97fc4592afa350ee095
                                                                    • Instruction ID: 3b22eca94e246f94e500985926dda4a1147c218b2bd1d1ccd1b4fc766217c63a
                                                                    • Opcode Fuzzy Hash: 14364f5e4ee4965806bd4591f928651c73ca2f88df1fe97fc4592afa350ee095
                                                                    • Instruction Fuzzy Hash: 6201470998D7D64FF381A738A8524767FE1CF92210B0844BBE88CC61D3EC18999983D2
                                                                    Function 00007FFAAC540E5E Relevance: .2, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad5bde519c66e7f37c1df9530d08d54ab477e4ca646ba0503478e4e5cd31cf22
                                                                    • Instruction ID: 691664b853ee154c000c36032c03ec71e40003258d768e9ecc327f89f47ebf7b
                                                                    • Opcode Fuzzy Hash: ad5bde519c66e7f37c1df9530d08d54ab477e4ca646ba0503478e4e5cd31cf22
                                                                    • Instruction Fuzzy Hash: 96516A62A4D68A4FE356A73CD8256B53BD5EF87221B0881FBD08DC71A3DD1C9C478381
                                                                    Function 00007FFAAC5412F2 Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c01f52a24e947f07c369052026ad0f119691f4cb6ffb122c89b1f39db1b0b1f
                                                                    • Instruction ID: d7ce750488f67661569ab618cef55efd545c8b63da3ce30fcb6430f78fafd161
                                                                    • Opcode Fuzzy Hash: 7c01f52a24e947f07c369052026ad0f119691f4cb6ffb122c89b1f39db1b0b1f
                                                                    • Instruction Fuzzy Hash: F0310972D5968E8FEB44D768D8521FDBFB2FF86211F444276D00ED75A2CD24980A8390
                                                                    Function 00007FFAAC540638 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0274d1f0468581fdf58cd05d75e22ad9309c0f4777688e6058c3d6ba01043b32
                                                                    • Instruction ID: 3e0bc1291077ac02474d6f9435ef3944a34d5b0785ccbbf1564aef6ce4ddc46d
                                                                    • Opcode Fuzzy Hash: 0274d1f0468581fdf58cd05d75e22ad9309c0f4777688e6058c3d6ba01043b32
                                                                    • Instruction Fuzzy Hash: ED31E861B589494FE788EB3CD45A779B6C6EF99311F0445BEF04EC32A3DD689C418384
                                                                    Function 00007FFAAC540D48 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4287abb47b206ee998090f1c5aa4f30cb3dc16912c1048b472de4867881e0318
                                                                    • Instruction ID: a4a95a46d57a17814b88b8e859224a7b6cf41f3f4d8a647d853ca77d9ac86dcd
                                                                    • Opcode Fuzzy Hash: 4287abb47b206ee998090f1c5aa4f30cb3dc16912c1048b472de4867881e0318
                                                                    • Instruction Fuzzy Hash: D62196A1B5890A4BFB84BBBCD41A7BC72D6EF9D751F1045BAE00EC3293DD2CA8014781
                                                                    Function 00007FFAAC54086D Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2059859989.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_7ffaac540000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2d2e354bf7496f9b6f7b58a70af747972bc2f76197af1da674265678d0b88c0
                                                                    • Instruction ID: 64392028f60d2a8b645742e8b02df14d90545a9e7da4f4cf9d2ce7b648971513
                                                                    • Opcode Fuzzy Hash: b2d2e354bf7496f9b6f7b58a70af747972bc2f76197af1da674265678d0b88c0
                                                                    • Instruction Fuzzy Hash: FD21947965868E5FD784EF68D094BAD7FE2BF98200BA08874D409C77E7CE386908C750

                                                                    Executed Functions

                                                                    Function 00007FFAAC5314E9 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8M%
                                                                    • API String ID: 0-1690249272
                                                                    • Opcode ID: 8d3276ae802a3e01e3b4774fb29f5554ecfbc5e37340ec8dfd39f433e8f5f989
                                                                    • Instruction ID: dd607f996e4ea8704ba56c5c70c9ab5e8552c9b797b7a0498b00f63890701fb8
                                                                    • Opcode Fuzzy Hash: 8d3276ae802a3e01e3b4774fb29f5554ecfbc5e37340ec8dfd39f433e8f5f989
                                                                    • Instruction Fuzzy Hash: 3AF1A571B59B4A4FE794FB3884696BA77D6FF89300F404979E40EC33D2DE28A8458781
                                                                    Function 00007FFAAC531070 Relevance: .4, Instructions: 448COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 34e74db759a2430f3e21bed93fcb8bc911b7d4e19bca7edfecebe7e2239fa76f
                                                                    • Instruction ID: e77f56cc9f57bf28602b9f4c74a1daed5a1a6991a5b6ffd453e5a58662802ae5
                                                                    • Opcode Fuzzy Hash: 34e74db759a2430f3e21bed93fcb8bc911b7d4e19bca7edfecebe7e2239fa76f
                                                                    • Instruction Fuzzy Hash: 98A132B3E0C26A4BE751B3BCB4615EABF60DF46375B088577E18EDA1A3CC04644A87D4
                                                                    Function 00007FFAAC531CFD Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53bd293a229093cd5ec478c8873fb60094d6d194d1d49448331a18bfc66b623f
                                                                    • Instruction ID: c2a6a9d8a4fa5f0666f488b02557988631688950e673f30abc172e03f4afe115
                                                                    • Opcode Fuzzy Hash: 53bd293a229093cd5ec478c8873fb60094d6d194d1d49448331a18bfc66b623f
                                                                    • Instruction Fuzzy Hash: 42513651A5E6C64FE787A77898646767FD5DF47215B0844FBE08EC72E3DD088806C382
                                                                    Function 00007FFAAC5307F2 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;N_$<N_^
                                                                    • API String ID: 0-579182416
                                                                    • Opcode ID: 8b05634fb21409c2daefb73dea31f2136727d833be14aba0a5ee1c2ecb295f52
                                                                    • Instruction ID: c1f9f09df8e8ca1e220c6ba0a9c51efd705d970cd49eb7ae205a3bc84f20777e
                                                                    • Opcode Fuzzy Hash: 8b05634fb21409c2daefb73dea31f2136727d833be14aba0a5ee1c2ecb295f52
                                                                    • Instruction Fuzzy Hash: 0341C4B668924A4FD780EB7CD4B69FA7FA1EF85310F80C875D009CB3A7DD2499498781
                                                                    Function 00007FFAAC530AFB Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HB%
                                                                    • API String ID: 0-81579929
                                                                    • Opcode ID: 5d266c08b11e644259e421b989727c10d190ee7ad794e10b6dab3c0649f9facd
                                                                    • Instruction ID: cfa042199845b33a17fd5b2cccac11902e53f347b2fc53d0273869ce7f439510
                                                                    • Opcode Fuzzy Hash: 5d266c08b11e644259e421b989727c10d190ee7ad794e10b6dab3c0649f9facd
                                                                    • Instruction Fuzzy Hash: 1951D6B6B4861A8BEB40FBBCE4615ED73E1EF89365F40853AD10DD73A2CD28A44587C0
                                                                    Function 00007FFAAC530B6F Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HB%
                                                                    • API String ID: 0-81579929
                                                                    • Opcode ID: 00977e4e7ceac1a3992e81c0e6cac3b89708dc56ffca0aeadd8921c740edb81e
                                                                    • Instruction ID: 6cfae173e4dc9d5e901c8d1cbe4e48ef96d09c7191f362fc80fbc2cbc86de826
                                                                    • Opcode Fuzzy Hash: 00977e4e7ceac1a3992e81c0e6cac3b89708dc56ffca0aeadd8921c740edb81e
                                                                    • Instruction Fuzzy Hash: 5341A276B58A1E8FEB44FB78D8656ED77E1FF88311F50853AD009D7292CE34A4468780
                                                                    Function 00007FFAAC531EB1 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8e%
                                                                    • API String ID: 0-1390493536
                                                                    • Opcode ID: e26ad5b1b4ce7a7bcf643264152181dc9dea72e5482c901e65f4971075ae6c34
                                                                    • Instruction ID: d3f0167d4e202c42be6afc6b23ea91a704ada1a40440559a3a543109dca25e89
                                                                    • Opcode Fuzzy Hash: e26ad5b1b4ce7a7bcf643264152181dc9dea72e5482c901e65f4971075ae6c34
                                                                    • Instruction Fuzzy Hash: 6D017B05D0D7864FF391A73868654727FE0DF82310B0844BBF48CC62E7DC14998883D2
                                                                    Function 00007FFAAC530E5E Relevance: .2, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 936429740448a539a5037fa079a727bc7068f336abd6cc8649822bfd68d08430
                                                                    • Instruction ID: 865573ba516263da7e8a9cbc4417607863f42addbf75426d1d0e4d31dc2dd89e
                                                                    • Opcode Fuzzy Hash: 936429740448a539a5037fa079a727bc7068f336abd6cc8649822bfd68d08430
                                                                    • Instruction Fuzzy Hash: BD512662A0D7864FE356A77CD8266F63BD5DF87220B0984FBD08DC72A3DC1C98468391
                                                                    Function 00007FFAAC5312F3 Relevance: .2, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 851423b76b16c1d92a1441760c78ce249de47bf3af73a81e1316e79f59439432
                                                                    • Instruction ID: fa57478cff2ebeeca296c5e6ff8cff8464e9b6746d8a7a11dfa9dfc364d6372c
                                                                    • Opcode Fuzzy Hash: 851423b76b16c1d92a1441760c78ce249de47bf3af73a81e1316e79f59439432
                                                                    • Instruction Fuzzy Hash: 5C31C962E18A4E8FEB44E768D8661FDBBB1FF45251F448576D10ED72A2CD24580A83D0
                                                                    Function 00007FFAAC530638 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc00364ab351adc122846cd0bf815a8f79812eda38a84b3231a0ab1c071c258a
                                                                    • Instruction ID: 37fca5ad9a751289dd2acc998f137aa41a4568cf631e0bf3a38be4494ac423b3
                                                                    • Opcode Fuzzy Hash: dc00364ab351adc122846cd0bf815a8f79812eda38a84b3231a0ab1c071c258a
                                                                    • Instruction Fuzzy Hash: C531D561B189094FE788EB3CD45A779A6C6EB89311F0445BEF04EC33A3DD689C418384
                                                                    Function 00007FFAAC530D48 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83dd52ee6dd9a50d1a9235d968c89e97de321891977fdefa633e5e106451db45
                                                                    • Instruction ID: 97a3e03e4c766524603683acfe186b00df7641384f3faa57ad487e88d93c9cca
                                                                    • Opcode Fuzzy Hash: 83dd52ee6dd9a50d1a9235d968c89e97de321891977fdefa633e5e106451db45
                                                                    • Instruction Fuzzy Hash: 052187A1B1890A4BFB84B7BCD41A7BC72D6EF98751F10457AE10EC3392DE2C98414781
                                                                    Function 00007FFAAC53086D Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2140344782.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffaac530000_XClient.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 392953d84b91e14e95f972a9479c9ac24987cceee3cfe3967a90e645c225674e
                                                                    • Instruction ID: 25e054a2ec2142a5bb9af51f3e536c0408bb708c4f724430197e55ee0f386c29
                                                                    • Opcode Fuzzy Hash: 392953d84b91e14e95f972a9479c9ac24987cceee3cfe3967a90e645c225674e
                                                                    • Instruction Fuzzy Hash: 292130A569460E5BD784FF68D0A99BE7FA2BB88200FD0C874D40AC77A6CD346944C751