Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fvbhdyuJYi.exe

Overview

General Information

Sample name:fvbhdyuJYi.exe
renamed because original name is a hash value
Original sample name:8173d5d5f34b1de85ad5dabe4b8c11f137af490ca86488ea43527d1620388f55.exe
Analysis ID:1579077
MD5:f10a238cb146d57eb93956dbc6769b20
SHA1:bd51c0f1aa78f671586f557dadf896747efef24a
SHA256:8173d5d5f34b1de85ad5dabe4b8c11f137af490ca86488ea43527d1620388f55
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fvbhdyuJYi.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\fvbhdyuJYi.exe" MD5: F10A238CB146D57EB93956DBC6769B20)
    • powershell.exe (PID: 7688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fvbhdyuJYi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1148 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 1568 cmdline: C:\Users\user\AppData\Local\XClient.exe MD5: F10A238CB146D57EB93956DBC6769B20)
  • XClient.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: F10A238CB146D57EB93956DBC6769B20)
  • XClient.exe (PID: 2100 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: F10A238CB146D57EB93956DBC6769B20)
  • XClient.exe (PID: 7728 cmdline: C:\Users\user\AppData\Local\XClient.exe MD5: F10A238CB146D57EB93956DBC6769B20)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.24"], "Port": 37020, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
fvbhdyuJYi.exeJoeSecurity_XWormYara detected XWormJoe Security
    fvbhdyuJYi.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      fvbhdyuJYi.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xbaae:$s6: VirtualBox
      • 0xba0c:$s8: Win32_ComputerSystem
      • 0xce4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xceeb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xd000:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc766:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xbaae:$s6: VirtualBox
          • 0xba0c:$s8: Win32_ComputerSystem
          • 0xce4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xceeb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xd000:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc766:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x191ce:$s6: VirtualBox
            • 0x1912c:$s8: Win32_ComputerSystem
            • 0x1a56e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1a60b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x1a720:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x19e86:$cnc4: POST / HTTP/1.1
            00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xb8ae:$s6: VirtualBox
                • 0xb80c:$s8: Win32_ComputerSystem
                • 0xcc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xcceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xce00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xc566:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.fvbhdyuJYi.exe.780000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.fvbhdyuJYi.exe.780000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.fvbhdyuJYi.exe.780000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xbaae:$s6: VirtualBox
                    • 0xba0c:$s8: Win32_ComputerSystem
                    • 0xce4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xceeb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xd000:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xc766:$cnc4: POST / HTTP/1.1
                    0.2.fvbhdyuJYi.exe.2acf720.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.fvbhdyuJYi.exe.2acf720.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x9cae:$s6: VirtualBox
                      • 0x9c0c:$s8: Win32_ComputerSystem
                      • 0xb04e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xb0eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xb200:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xa966:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fvbhdyuJYi.exe", ParentImage: C:\Users\user\Desktop\fvbhdyuJYi.exe, ParentProcessId: 7516, ParentProcessName: fvbhdyuJYi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', ProcessId: 7688, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fvbhdyuJYi.exe", ParentImage: C:\Users\user\Desktop\fvbhdyuJYi.exe, ParentProcessId: 7516, ParentProcessName: fvbhdyuJYi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', ProcessId: 7688, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fvbhdyuJYi.exe, ProcessId: 7516, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fvbhdyuJYi.exe", ParentImage: C:\Users\user\Desktop\fvbhdyuJYi.exe, ParentProcessId: 7516, ParentProcessName: fvbhdyuJYi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', ProcessId: 7688, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\fvbhdyuJYi.exe, ProcessId: 7516, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fvbhdyuJYi.exe", ParentImage: C:\Users\user\Desktop\fvbhdyuJYi.exe, ParentProcessId: 7516, ParentProcessName: fvbhdyuJYi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe", ProcessId: 1148, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fvbhdyuJYi.exe", ParentImage: C:\Users\user\Desktop\fvbhdyuJYi.exe, ParentProcessId: 7516, ParentProcessName: fvbhdyuJYi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe', ProcessId: 7688, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:14:22.645159+010028559241Malware Command and Control Activity Detected192.168.2.849710147.185.221.2437020TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: fvbhdyuJYi.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: fvbhdyuJYi.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.24"], "Port": 37020, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\XClient.exeReversingLabs: Detection: 86%
                      Multi AV Scanner detection for submitted file
                      Source: fvbhdyuJYi.exeReversingLabs: Detection: 86%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\XClient.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: fvbhdyuJYi.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: fvbhdyuJYi.exeString decryptor: 147.185.221.24
                      Source: fvbhdyuJYi.exeString decryptor: 37020
                      Source: fvbhdyuJYi.exeString decryptor: <123456789>
                      Source: fvbhdyuJYi.exeString decryptor: <Xwormmm>
                      Source: fvbhdyuJYi.exeString decryptor: XWorm V5.2
                      Source: fvbhdyuJYi.exeString decryptor: USB.exe
                      Source: fvbhdyuJYi.exeString decryptor: %LocalAppData%
                      Source: fvbhdyuJYi.exeString decryptor: XClient.exe
                      Source: fvbhdyuJYi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: fvbhdyuJYi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49710 -> 147.185.221.24:37020
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 147.185.221.24
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: fvbhdyuJYi.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.fvbhdyuJYi.exe.780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\XClient.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.8:49710 -> 147.185.221.24:37020
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: powershell.exe, 00000005.00000002.1615926735.0000027E21115000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1981913199.000001AF69A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1981913199.000001AF69A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: fvbhdyuJYi.exe, XClient.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000002.00000002.1489915659.000001F4E6150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1604732024.0000027E18CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1743779648.0000026492A7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.1464389484.000001F4D6309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08E69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482C3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1464389484.000001F4D60E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF513D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.1464389484.000001F4D6309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08E69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482C3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                      Source: powershell.exe, 00000002.00000002.1464389484.000001F4D60E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF513D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.1489915659.000001F4E6150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1604732024.0000027E18CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1743779648.0000026492A7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: fvbhdyuJYi.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.fvbhdyuJYi.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF23610_2_00007FFB4AEF2361
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF16E90_2_00007FFB4AEF16E9
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF60960_2_00007FFB4AEF6096
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF6E420_2_00007FFB4AEF6E42
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF20C10_2_00007FFB4AEF20C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AFC30E92_2_00007FFB4AFC30E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AFE30E98_2_00007FFB4AFE30E9
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 16_2_00007FFB4AEF16E916_2_00007FFB4AEF16E9
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 16_2_00007FFB4AEF0E5E16_2_00007FFB4AEF0E5E
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 16_2_00007FFB4AEF20C116_2_00007FFB4AEF20C1
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 17_2_00007FFB4AEF16E917_2_00007FFB4AEF16E9
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 17_2_00007FFB4AEF0E5E17_2_00007FFB4AEF0E5E
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 17_2_00007FFB4AEF20C117_2_00007FFB4AEF20C1
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 18_2_00007FFB4AF016E918_2_00007FFB4AF016E9
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 18_2_00007FFB4AF00E5E18_2_00007FFB4AF00E5E
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 18_2_00007FFB4AF020C118_2_00007FFB4AF020C1
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 20_2_00007FFB4AF10E5E20_2_00007FFB4AF10E5E
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 20_2_00007FFB4AF116E920_2_00007FFB4AF116E9
                      Source: C:\Users\user\AppData\Local\XClient.exeCode function: 20_2_00007FFB4AF120C120_2_00007FFB4AF120C1
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameniggaclientr.exe4 vs fvbhdyuJYi.exe
                      Source: fvbhdyuJYi.exe, 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameniggaclientr.exe4 vs fvbhdyuJYi.exe
                      Source: fvbhdyuJYi.exeBinary or memory string: OriginalFilenameniggaclientr.exe4 vs fvbhdyuJYi.exe
                      Source: fvbhdyuJYi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: fvbhdyuJYi.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.fvbhdyuJYi.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: fvbhdyuJYi.exe, LdLNc6WMBHRshAF.csCryptographic APIs: 'TransformFinalBlock'
                      Source: fvbhdyuJYi.exe, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: fvbhdyuJYi.exe, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, LdLNc6WMBHRshAF.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: XClient.exe.0.dr, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, LdLNc6WMBHRshAF.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, MhnYxvlVZ35NzQb.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: XClient.exe.0.dr, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: XClient.exe.0.dr, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: fvbhdyuJYi.exe, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: fvbhdyuJYi.exe, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@1/2
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile created: C:\Users\user\AppData\Local\XClient.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\XClient.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeMutant created: \Sessions\1\BaseNamedObjects\8M9IXf240DJfHwIe
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: fvbhdyuJYi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: fvbhdyuJYi.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: fvbhdyuJYi.exeReversingLabs: Detection: 86%
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile read: C:\Users\user\Desktop\fvbhdyuJYi.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\fvbhdyuJYi.exe "C:\Users\user\Desktop\fvbhdyuJYi.exe"
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fvbhdyuJYi.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe C:\Users\user\AppData\Local\XClient.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe C:\Users\user\AppData\Local\XClient.exe
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fvbhdyuJYi.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: XClient.lnk.0.drLNK file: ..\..\..\..\..\..\Local\XClient.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: fvbhdyuJYi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: fvbhdyuJYi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.bmKxeXB9SxyvhPAZUd1rwv41V4qpG0Tzwt3H3lcR9SSSI7KQg8BXR5WQyuhLS4najWVswCf39,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.IjEJLnYncUDS8WS78qq42O5TD8rUTW6L3DT3Z1yH6jATMrKladh2cjr6Y0tQhjMdhD4NDOe74,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX._6tTeED7zIymrTLw1XpalZgax72dfRXGc4BEOtTePpV5ysam5kpHAvj2EFp45FjFU7suqNQSea,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.g1sEFJJJEKAQ6lNLT500HsgPcbsT1DCw2P0LBfpoahbJHtzz7X531oGaGJDovfOYJTbt9iqLo,MhnYxvlVZ35NzQb.Dsaa2QzE6uQdrB6()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_0nnzaEYIDS5ZV9v[2],MhnYxvlVZ35NzQb._8ZSs2ovQiaaFkar(Convert.FromBase64String(_0nnzaEYIDS5ZV9v[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _0nnzaEYIDS5ZV9v[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.bmKxeXB9SxyvhPAZUd1rwv41V4qpG0Tzwt3H3lcR9SSSI7KQg8BXR5WQyuhLS4najWVswCf39,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.IjEJLnYncUDS8WS78qq42O5TD8rUTW6L3DT3Z1yH6jATMrKladh2cjr6Y0tQhjMdhD4NDOe74,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX._6tTeED7zIymrTLw1XpalZgax72dfRXGc4BEOtTePpV5ysam5kpHAvj2EFp45FjFU7suqNQSea,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.g1sEFJJJEKAQ6lNLT500HsgPcbsT1DCw2P0LBfpoahbJHtzz7X531oGaGJDovfOYJTbt9iqLo,MhnYxvlVZ35NzQb.Dsaa2QzE6uQdrB6()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_0nnzaEYIDS5ZV9v[2],MhnYxvlVZ35NzQb._8ZSs2ovQiaaFkar(Convert.FromBase64String(_0nnzaEYIDS5ZV9v[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _0nnzaEYIDS5ZV9v[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.bmKxeXB9SxyvhPAZUd1rwv41V4qpG0Tzwt3H3lcR9SSSI7KQg8BXR5WQyuhLS4najWVswCf39,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.IjEJLnYncUDS8WS78qq42O5TD8rUTW6L3DT3Z1yH6jATMrKladh2cjr6Y0tQhjMdhD4NDOe74,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX._6tTeED7zIymrTLw1XpalZgax72dfRXGc4BEOtTePpV5ysam5kpHAvj2EFp45FjFU7suqNQSea,b2xxkoAsd9KeY26ouTP53XHP8p43FH2NmF6vbHaNE3EVOM3MVwsrsHYC86yfkmQ9B9lBJR6lX.g1sEFJJJEKAQ6lNLT500HsgPcbsT1DCw2P0LBfpoahbJHtzz7X531oGaGJDovfOYJTbt9iqLo,MhnYxvlVZ35NzQb.Dsaa2QzE6uQdrB6()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_0nnzaEYIDS5ZV9v[2],MhnYxvlVZ35NzQb._8ZSs2ovQiaaFkar(Convert.FromBase64String(_0nnzaEYIDS5ZV9v[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _0nnzaEYIDS5ZV9v[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: DEn4qzOxYhrwVuu System.AppDomain.Load(byte[])
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr System.AppDomain.Load(byte[])
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: DEn4qzOxYhrwVuu System.AppDomain.Load(byte[])
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr System.AppDomain.Load(byte[])
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: DEn4qzOxYhrwVuu System.AppDomain.Load(byte[])
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr System.AppDomain.Load(byte[])
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.cs.Net Code: _3tQ6WCnYG6UhnRr
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF773C pushad ; ret 0_2_00007FFB4AEF774A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4ADDDFE6 push edi; ret 2_2_00007FFB4ADDDFE7
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4ADDD2A5 pushad ; iretd 2_2_00007FFB4ADDD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AEF0984 push E95A4AD0h; ret 2_2_00007FFB4AEF09C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AEF121D pushad ; ret 2_2_00007FFB4AEF1262
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AEF05A9 push edi; ret 2_2_00007FFB4AEF05AA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AFC2316 push 8B485F94h; iretd 2_2_00007FFB4AFC231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4ADFDB66 push edi; ret 5_2_00007FFB4ADFDB67
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4ADFD2A5 pushad ; iretd 5_2_00007FFB4ADFD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AF10E23 pushad ; ret 5_2_00007FFB4AF10F1A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AFE2316 push 8B485F92h; iretd 5_2_00007FFB4AFE231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4ADFDB86 push edi; ret 8_2_00007FFB4ADFDB87
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4ADFD2A5 pushad ; iretd 8_2_00007FFB4ADFD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AF1125A pushad ; ret 8_2_00007FFB4AF11272
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AFE2316 push 8B485F92h; iretd 8_2_00007FFB4AFE231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4ADFDA86 push edi; ret 10_2_00007FFB4ADFDA87
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4ADFD2A5 pushad ; iretd 10_2_00007FFB4ADFD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4AF10E95 pushad ; ret 10_2_00007FFB4AF10EAA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4AFE2316 push 8B485F92h; iretd 10_2_00007FFB4AFE231B
                      Source: fvbhdyuJYi.exe, 0nZAl7aJidhsHJt.csHigh entropy of concatenated method names: '_8w5o4bVmJMM4SEA', '_6K5ybPQC6WaZ27h', 'am3nwzIz6S2zxI6', 'BCyPT06GdWRaKTK', 'J1tndDPfHT9Yo5S', 'EgQmJDPypxoHSi9', 'Kk97zcQ3vzlnq5O', 'm1ZyjfAk19VBlHS', 'Y3FRgD6pVG1vh0L', 'Gj55PxEHCv2BPfw'
                      Source: fvbhdyuJYi.exe, qiwGkrEaTAopBk9.csHigh entropy of concatenated method names: '_4RGqAndxsMV4LYf', 'xiUNhCQdKrX55E6', 'bc8odlHtyS2UfQp', 'DmbYGfhMrEce8XG', 'XNnRbd5eLCcGtCk', 'keAkWWbqnTkS2sk', 'ZV6qtMJwikS5NFC', 'K8Q3BFazPAWHG9k', 'YVoO4Y5z5W2NgVI', 'hvMmMRX5tUtOwwK'
                      Source: fvbhdyuJYi.exe, CIgONVZvkBiv4z5pEjzj2KQYETcf8Denld2CZeZDka8oiNsipLU9lhHhqTYQOOByNtrBTi9hO.csHigh entropy of concatenated method names: 'LAisEC6M8HZvcqqHab8m18BV3I5WnW6WGSEV1mLy7mpbXdJxNUm8X9LYSUM22L9620knFJJ68', 'Wtkit85iYZgLn1VZ7zXnjHdCpoOCjdt27wS7aaCZBwWSpQ8gBQlUhPBA5ufiOBwCdfPsDMvmZ', 'Sf8URP4cZxJUvQsNavusmG5ifcRfC1Q7fb8dAd3LbdKRrHEjuugcFORT2YCyBPhDSDGfdMfa3', 'On0b1bUhNrOgyzlGMT1KYMHRVRThLWtQsCDvq5A6n7tC3YlDd0BivRicEQnlzEgE8ZtVDG3Ud', 'z90eYbKqlwtpwGUp4NZuzXwSBaTjVpqBCk7pzMvdmRSQWes4boAy8EbZrDfzs97H2g7yIzpC1', 'uQ1g863jzX7zNPe69gsXjDuAmel8yINsIkYFRJt8zepZU3IfeWn8ERWoZ9XmBLEXl2wgcsXP1', 'C7P4IhUQ4PA7BqlrNmv9psiCLMyoGPHsTuA2LcXlsn1limeYZxZbN4UCkozanEXZfSOgrb4Pb', 'gZR5GqHkClBZiOkjNRMeK0Z8qzAZKQDlakA02fWfxN46EJdeu9LfuXW1HLWmuv70F6gcFO8a8', 'liUTo9MSLJo9AAKaYpcm1bSlUkFtsE0YyKM4aBqZUKpdqjvkGzqSlnXTbLoWv2TRfggt8umCk', 'yClXpkOT0LgCmil4Vcw2gGzcjKxzHBhvHlGIvevv9ZGPtujsgxZMeJcNAJgciTOw3oCCF42Ki'
                      Source: fvbhdyuJYi.exe, qVsD2EhDumLmZi1.csHigh entropy of concatenated method names: 'ee3vv6RHvopA79O', 'dMIpav3b19Zu7QV', 'tVLdMjC1KTe0Fbw', 'xPE1IeBf9T6MhTK', 'l2Of0Fz0N6IoY6L', 'xj23nO0izkbYvn6', 'QdFJc0FF19SKSMl', 'QLuac1mPoB2Ntnw', 'T6gxNQDXoxTp6tL', 'lIumZGYm3ElE6sq'
                      Source: fvbhdyuJYi.exe, MhnYxvlVZ35NzQb.csHigh entropy of concatenated method names: 'iycNkTBbDGpR7SM', 'bFNr4HfGFrgeeeh', 'JoNkLe9MZY7ThRC', 'zj0YCN0HBU72fsS', 'j2Wc0S7BK9jQbH1', 'CMTNHJNyJIrhNPH', 'VilB8tfaUOIzt5m', 'nYAxK2fgImTe8UP', 'zEQieJuejdp8nCi', 'k9ecHz2gUwuN2lF'
                      Source: fvbhdyuJYi.exe, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csHigh entropy of concatenated method names: '_0Y4OoE1L9imaRzJyYFd0ziCnPAnf3R3InqHqmMOJnoe6DDmf8tD5KIZccdGRK5saAAsXeqeE8', 'OxYiEyE4tpWsXVIiw7OpIxRfcxLbhvjQc9lzZvY9FufSyWkvAjHJBQP5MKz4t7yMmAgg3kWZw', 'LihUa1y5jv0W5wIGY5j7d6VgMlItpTO6llYKtlocjN9ldLIzBSN413539QH9fw1VPbUOOm3sc', 'YjHtlPxZDiaeXm7TGeRjSkRDQucD9d9uUFjjDrBNcaRCrYOxPKe6SgCd7Bi74a3HYDyPLNi1M', '_0mAxNrZbMrc5J43DjEjIdshY3SG9gagbhzMLtQ7YWJpLiSYtNGeD4RBXeoez1VsALjVJmSHAn', 'qFzlV23OWwT0snF7cifDmiyHeHTwryylH3wztWMyYnC2g8QAXnHdJDnWzZat539aGA6WVhhHm', 'YFegfYDU4LRrMQUKbaktZ2uHjPHP1w3QQHdP0MaSdrrZgIvFUvPXqpuilaLmZRGvQM61eCWwI', 'JA71vmN0tCkWcNeToGPAb8MSxUiJtcXMzNCbI8N755ssVQKz4j5fJUj4AEVwiSn0cT6XZ3fTZ', 'yvvzEunX47ioK4QtldE2dTioVawDzNaWxamU06Fqcm5Tr6sBQzv68M7Q9NaqJJ6KbfUseLLsI', '_1XmlDwtreV9bGb4swl5vKcQDjME7GP0fCjYBjjBPdUrLH2xbTq9Pgep5YuoAS2IYhtW9dU5PY'
                      Source: fvbhdyuJYi.exe, RTTzOahPFW7d0Zn.csHigh entropy of concatenated method names: 'V1RTVC7TiJacYE1', 'DEn4qzOxYhrwVuu', 'V6ciQ54NbMoZOnx', 'JHCMjrub7CWJyRU', 'JT43sN7n1JHVCEk', 'NM6kUB4UIiaOPuW', 'zNdHF7dTD44NTlE', 'tUhYattER9lrf5r', 'ceI2NIngLJCVu0s', 'aoeN6Iq6TuV6rsv'
                      Source: XClient.exe.0.dr, 0nZAl7aJidhsHJt.csHigh entropy of concatenated method names: '_8w5o4bVmJMM4SEA', '_6K5ybPQC6WaZ27h', 'am3nwzIz6S2zxI6', 'BCyPT06GdWRaKTK', 'J1tndDPfHT9Yo5S', 'EgQmJDPypxoHSi9', 'Kk97zcQ3vzlnq5O', 'm1ZyjfAk19VBlHS', 'Y3FRgD6pVG1vh0L', 'Gj55PxEHCv2BPfw'
                      Source: XClient.exe.0.dr, qiwGkrEaTAopBk9.csHigh entropy of concatenated method names: '_4RGqAndxsMV4LYf', 'xiUNhCQdKrX55E6', 'bc8odlHtyS2UfQp', 'DmbYGfhMrEce8XG', 'XNnRbd5eLCcGtCk', 'keAkWWbqnTkS2sk', 'ZV6qtMJwikS5NFC', 'K8Q3BFazPAWHG9k', 'YVoO4Y5z5W2NgVI', 'hvMmMRX5tUtOwwK'
                      Source: XClient.exe.0.dr, CIgONVZvkBiv4z5pEjzj2KQYETcf8Denld2CZeZDka8oiNsipLU9lhHhqTYQOOByNtrBTi9hO.csHigh entropy of concatenated method names: 'LAisEC6M8HZvcqqHab8m18BV3I5WnW6WGSEV1mLy7mpbXdJxNUm8X9LYSUM22L9620knFJJ68', 'Wtkit85iYZgLn1VZ7zXnjHdCpoOCjdt27wS7aaCZBwWSpQ8gBQlUhPBA5ufiOBwCdfPsDMvmZ', 'Sf8URP4cZxJUvQsNavusmG5ifcRfC1Q7fb8dAd3LbdKRrHEjuugcFORT2YCyBPhDSDGfdMfa3', 'On0b1bUhNrOgyzlGMT1KYMHRVRThLWtQsCDvq5A6n7tC3YlDd0BivRicEQnlzEgE8ZtVDG3Ud', 'z90eYbKqlwtpwGUp4NZuzXwSBaTjVpqBCk7pzMvdmRSQWes4boAy8EbZrDfzs97H2g7yIzpC1', 'uQ1g863jzX7zNPe69gsXjDuAmel8yINsIkYFRJt8zepZU3IfeWn8ERWoZ9XmBLEXl2wgcsXP1', 'C7P4IhUQ4PA7BqlrNmv9psiCLMyoGPHsTuA2LcXlsn1limeYZxZbN4UCkozanEXZfSOgrb4Pb', 'gZR5GqHkClBZiOkjNRMeK0Z8qzAZKQDlakA02fWfxN46EJdeu9LfuXW1HLWmuv70F6gcFO8a8', 'liUTo9MSLJo9AAKaYpcm1bSlUkFtsE0YyKM4aBqZUKpdqjvkGzqSlnXTbLoWv2TRfggt8umCk', 'yClXpkOT0LgCmil4Vcw2gGzcjKxzHBhvHlGIvevv9ZGPtujsgxZMeJcNAJgciTOw3oCCF42Ki'
                      Source: XClient.exe.0.dr, qVsD2EhDumLmZi1.csHigh entropy of concatenated method names: 'ee3vv6RHvopA79O', 'dMIpav3b19Zu7QV', 'tVLdMjC1KTe0Fbw', 'xPE1IeBf9T6MhTK', 'l2Of0Fz0N6IoY6L', 'xj23nO0izkbYvn6', 'QdFJc0FF19SKSMl', 'QLuac1mPoB2Ntnw', 'T6gxNQDXoxTp6tL', 'lIumZGYm3ElE6sq'
                      Source: XClient.exe.0.dr, MhnYxvlVZ35NzQb.csHigh entropy of concatenated method names: 'iycNkTBbDGpR7SM', 'bFNr4HfGFrgeeeh', 'JoNkLe9MZY7ThRC', 'zj0YCN0HBU72fsS', 'j2Wc0S7BK9jQbH1', 'CMTNHJNyJIrhNPH', 'VilB8tfaUOIzt5m', 'nYAxK2fgImTe8UP', 'zEQieJuejdp8nCi', 'k9ecHz2gUwuN2lF'
                      Source: XClient.exe.0.dr, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csHigh entropy of concatenated method names: '_0Y4OoE1L9imaRzJyYFd0ziCnPAnf3R3InqHqmMOJnoe6DDmf8tD5KIZccdGRK5saAAsXeqeE8', 'OxYiEyE4tpWsXVIiw7OpIxRfcxLbhvjQc9lzZvY9FufSyWkvAjHJBQP5MKz4t7yMmAgg3kWZw', 'LihUa1y5jv0W5wIGY5j7d6VgMlItpTO6llYKtlocjN9ldLIzBSN413539QH9fw1VPbUOOm3sc', 'YjHtlPxZDiaeXm7TGeRjSkRDQucD9d9uUFjjDrBNcaRCrYOxPKe6SgCd7Bi74a3HYDyPLNi1M', '_0mAxNrZbMrc5J43DjEjIdshY3SG9gagbhzMLtQ7YWJpLiSYtNGeD4RBXeoez1VsALjVJmSHAn', 'qFzlV23OWwT0snF7cifDmiyHeHTwryylH3wztWMyYnC2g8QAXnHdJDnWzZat539aGA6WVhhHm', 'YFegfYDU4LRrMQUKbaktZ2uHjPHP1w3QQHdP0MaSdrrZgIvFUvPXqpuilaLmZRGvQM61eCWwI', 'JA71vmN0tCkWcNeToGPAb8MSxUiJtcXMzNCbI8N755ssVQKz4j5fJUj4AEVwiSn0cT6XZ3fTZ', 'yvvzEunX47ioK4QtldE2dTioVawDzNaWxamU06Fqcm5Tr6sBQzv68M7Q9NaqJJ6KbfUseLLsI', '_1XmlDwtreV9bGb4swl5vKcQDjME7GP0fCjYBjjBPdUrLH2xbTq9Pgep5YuoAS2IYhtW9dU5PY'
                      Source: XClient.exe.0.dr, RTTzOahPFW7d0Zn.csHigh entropy of concatenated method names: 'V1RTVC7TiJacYE1', 'DEn4qzOxYhrwVuu', 'V6ciQ54NbMoZOnx', 'JHCMjrub7CWJyRU', 'JT43sN7n1JHVCEk', 'NM6kUB4UIiaOPuW', 'zNdHF7dTD44NTlE', 'tUhYattER9lrf5r', 'ceI2NIngLJCVu0s', 'aoeN6Iq6TuV6rsv'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, 0nZAl7aJidhsHJt.csHigh entropy of concatenated method names: '_8w5o4bVmJMM4SEA', '_6K5ybPQC6WaZ27h', 'am3nwzIz6S2zxI6', 'BCyPT06GdWRaKTK', 'J1tndDPfHT9Yo5S', 'EgQmJDPypxoHSi9', 'Kk97zcQ3vzlnq5O', 'm1ZyjfAk19VBlHS', 'Y3FRgD6pVG1vh0L', 'Gj55PxEHCv2BPfw'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, qiwGkrEaTAopBk9.csHigh entropy of concatenated method names: '_4RGqAndxsMV4LYf', 'xiUNhCQdKrX55E6', 'bc8odlHtyS2UfQp', 'DmbYGfhMrEce8XG', 'XNnRbd5eLCcGtCk', 'keAkWWbqnTkS2sk', 'ZV6qtMJwikS5NFC', 'K8Q3BFazPAWHG9k', 'YVoO4Y5z5W2NgVI', 'hvMmMRX5tUtOwwK'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, CIgONVZvkBiv4z5pEjzj2KQYETcf8Denld2CZeZDka8oiNsipLU9lhHhqTYQOOByNtrBTi9hO.csHigh entropy of concatenated method names: 'LAisEC6M8HZvcqqHab8m18BV3I5WnW6WGSEV1mLy7mpbXdJxNUm8X9LYSUM22L9620knFJJ68', 'Wtkit85iYZgLn1VZ7zXnjHdCpoOCjdt27wS7aaCZBwWSpQ8gBQlUhPBA5ufiOBwCdfPsDMvmZ', 'Sf8URP4cZxJUvQsNavusmG5ifcRfC1Q7fb8dAd3LbdKRrHEjuugcFORT2YCyBPhDSDGfdMfa3', 'On0b1bUhNrOgyzlGMT1KYMHRVRThLWtQsCDvq5A6n7tC3YlDd0BivRicEQnlzEgE8ZtVDG3Ud', 'z90eYbKqlwtpwGUp4NZuzXwSBaTjVpqBCk7pzMvdmRSQWes4boAy8EbZrDfzs97H2g7yIzpC1', 'uQ1g863jzX7zNPe69gsXjDuAmel8yINsIkYFRJt8zepZU3IfeWn8ERWoZ9XmBLEXl2wgcsXP1', 'C7P4IhUQ4PA7BqlrNmv9psiCLMyoGPHsTuA2LcXlsn1limeYZxZbN4UCkozanEXZfSOgrb4Pb', 'gZR5GqHkClBZiOkjNRMeK0Z8qzAZKQDlakA02fWfxN46EJdeu9LfuXW1HLWmuv70F6gcFO8a8', 'liUTo9MSLJo9AAKaYpcm1bSlUkFtsE0YyKM4aBqZUKpdqjvkGzqSlnXTbLoWv2TRfggt8umCk', 'yClXpkOT0LgCmil4Vcw2gGzcjKxzHBhvHlGIvevv9ZGPtujsgxZMeJcNAJgciTOw3oCCF42Ki'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, qVsD2EhDumLmZi1.csHigh entropy of concatenated method names: 'ee3vv6RHvopA79O', 'dMIpav3b19Zu7QV', 'tVLdMjC1KTe0Fbw', 'xPE1IeBf9T6MhTK', 'l2Of0Fz0N6IoY6L', 'xj23nO0izkbYvn6', 'QdFJc0FF19SKSMl', 'QLuac1mPoB2Ntnw', 'T6gxNQDXoxTp6tL', 'lIumZGYm3ElE6sq'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, MhnYxvlVZ35NzQb.csHigh entropy of concatenated method names: 'iycNkTBbDGpR7SM', 'bFNr4HfGFrgeeeh', 'JoNkLe9MZY7ThRC', 'zj0YCN0HBU72fsS', 'j2Wc0S7BK9jQbH1', 'CMTNHJNyJIrhNPH', 'VilB8tfaUOIzt5m', 'nYAxK2fgImTe8UP', 'zEQieJuejdp8nCi', 'k9ecHz2gUwuN2lF'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, 2ytl523AULTh44PuGA4Xz0uHPwAwSovXlrZaDMAStxsz1j1RAgSZEAXLJUWIx4k7OXwRZK0Mo.csHigh entropy of concatenated method names: '_0Y4OoE1L9imaRzJyYFd0ziCnPAnf3R3InqHqmMOJnoe6DDmf8tD5KIZccdGRK5saAAsXeqeE8', 'OxYiEyE4tpWsXVIiw7OpIxRfcxLbhvjQc9lzZvY9FufSyWkvAjHJBQP5MKz4t7yMmAgg3kWZw', 'LihUa1y5jv0W5wIGY5j7d6VgMlItpTO6llYKtlocjN9ldLIzBSN413539QH9fw1VPbUOOm3sc', 'YjHtlPxZDiaeXm7TGeRjSkRDQucD9d9uUFjjDrBNcaRCrYOxPKe6SgCd7Bi74a3HYDyPLNi1M', '_0mAxNrZbMrc5J43DjEjIdshY3SG9gagbhzMLtQ7YWJpLiSYtNGeD4RBXeoez1VsALjVJmSHAn', 'qFzlV23OWwT0snF7cifDmiyHeHTwryylH3wztWMyYnC2g8QAXnHdJDnWzZat539aGA6WVhhHm', 'YFegfYDU4LRrMQUKbaktZ2uHjPHP1w3QQHdP0MaSdrrZgIvFUvPXqpuilaLmZRGvQM61eCWwI', 'JA71vmN0tCkWcNeToGPAb8MSxUiJtcXMzNCbI8N755ssVQKz4j5fJUj4AEVwiSn0cT6XZ3fTZ', 'yvvzEunX47ioK4QtldE2dTioVawDzNaWxamU06Fqcm5Tr6sBQzv68M7Q9NaqJJ6KbfUseLLsI', '_1XmlDwtreV9bGb4swl5vKcQDjME7GP0fCjYBjjBPdUrLH2xbTq9Pgep5YuoAS2IYhtW9dU5PY'
                      Source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, RTTzOahPFW7d0Zn.csHigh entropy of concatenated method names: 'V1RTVC7TiJacYE1', 'DEn4qzOxYhrwVuu', 'V6ciQ54NbMoZOnx', 'JHCMjrub7CWJyRU', 'JT43sN7n1JHVCEk', 'NM6kUB4UIiaOPuW', 'zNdHF7dTD44NTlE', 'tUhYattER9lrf5r', 'ceI2NIngLJCVu0s', 'aoeN6Iq6TuV6rsv'
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile created: C:\Users\user\AppData\Local\XClient.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe"
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: fvbhdyuJYi.exe, XClient.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeMemory allocated: 1AA00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: D60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 1A850000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: A10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 1A730000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 810000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 1A460000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: F40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 1A9F0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWindow / User API: threadDelayed 8912Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWindow / User API: threadDelayed 942Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5857Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3923Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6896Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2589Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2508Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7110Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5900
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3750
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exe TID: 2352Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 6896 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 2589 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 2508 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 7110 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Local\XClient.exe TID: 3232Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\XClient.exe TID: 4132Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\XClient.exe TID: 4200Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\XClient.exe TID: 7780Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
                      Source: XClient.exe.0.drBinary or memory string: vmware
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2660321011.000000001B953000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeCode function: 0_2_00007FFB4AEF7A51 CheckRemoteDebuggerPresent,0_2_00007FFB4AEF7A51
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\XClient.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fvbhdyuJYi.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe"Jump to behavior
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2}
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeQueries volume information: C:\Users\user\Desktop\fvbhdyuJYi.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: fvbhdyuJYi.exe, 00000000.00000002.2660321011.000000001B953000.00000004.00000020.00020000.00000000.sdmp, fvbhdyuJYi.exe, 00000000.00000002.2660321011.000000001B9E8000.00000004.00000020.00020000.00000000.sdmp, fvbhdyuJYi.exe, 00000000.00000002.2665475653.000000001C510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\fvbhdyuJYi.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: fvbhdyuJYi.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.fvbhdyuJYi.exe.780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fvbhdyuJYi.exe.2acf720.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fvbhdyuJYi.exe PID: 7516, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\XClient.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: fvbhdyuJYi.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.fvbhdyuJYi.exe.780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fvbhdyuJYi.exe.2acf720.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fvbhdyuJYi.exe.2acf720.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fvbhdyuJYi.exe PID: 7516, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\XClient.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579077 Sample: fvbhdyuJYi.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 13 other signatures 2->52 8 fvbhdyuJYi.exe 15 6 2->8         started        13 XClient.exe 2->13         started        15 XClient.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 147.185.221.24, 37020, 49710, 49711 SALSGIVERUS United States 8->42 44 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 8->44 38 C:\Users\user\AppData\Local\XClient.exe, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 3 other signatures 8->68 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      fvbhdyuJYi.exe87%ReversingLabsWin32.Exploit.Xworm
                      fvbhdyuJYi.exe100%AviraTR/Spy.Gen
                      fvbhdyuJYi.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\XClient.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Local\XClient.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\XClient.exe87%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        147.185.221.24true
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1489915659.000001F4E6150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1604732024.0000027E18CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1743779648.0000026492A7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.mpowershell.exe, 00000005.00000002.1615926735.0000027E21115000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1464389484.000001F4D6309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08E69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482C3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1464389484.000001F4D6309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08E69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482C3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1489915659.000001F4E6150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1604732024.0000027E18CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1743779648.0000026492A7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1981913199.000001AF69A49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ip-api.comfvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1936815729.000001AF6143F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.1760388313.000002649AE80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1981913199.000001AF69A49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.1464389484.000001F4D60E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF513D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefvbhdyuJYi.exe, 00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1464389484.000001F4D60E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1536110650.0000027E08C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1652210634.0000026482A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1802910620.000001AF513D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1802910620.000001AF515F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse
                                                              147.185.221.24
                                                              		unknownUnited States
                                                              		12087SALSGIVERUStrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1579077
                                                              Start date and time:2024-12-20 19:12:08 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 29s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:21
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:fvbhdyuJYi.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:8173d5d5f34b1de85ad5dabe4b8c11f137af490ca86488ea43527d1620388f55.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@20/21@1/2
                                                              EGA Information:
                                                              • Successful, ratio: 11.1%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 106
                                                              • Number of non-executed functions: 4
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                              • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target XClient.exe, PID 1568 because it is empty
                                                              • Execution Graph export aborted for target XClient.exe, PID 2100 because it is empty
                                                              • Execution Graph export aborted for target XClient.exe, PID 3712 because it is empty
                                                              • Execution Graph export aborted for target XClient.exe, PID 7728 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 5420 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7688 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7924 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 8132 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • VT rate limit hit for: fvbhdyuJYi.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              13:13:06API Interceptor54x Sleep call for process: powershell.exe modified
                                                              13:14:08API Interceptor145x Sleep call for process: fvbhdyuJYi.exe modified
                                                              19:14:04Task SchedulerRun new task: XClient path: C:\Users\user\AppData\Local\XClient.exe
                                                              19:14:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\XClient.exe
                                                              19:14:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\XClient.exe
                                                              19:14:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              208.95.112.1twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              dlhost.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                              • ip-api.com/json
                                                              xt.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • ip-api.com/json
                                                              147.185.221.24KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                                  ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                                    Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                        72OWK7wBVH.exeGet hashmaliciousXWormBrowse
                                                                          aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                                                            HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                                              file.exeGet hashmaliciousXWormBrowse
                                                                                file.exeGet hashmaliciousXWormBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  ip-api.comYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 208.95.112.1
                                                                                  KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.95.112.1
                                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                  • 208.95.112.1

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TUT-ASUStwE44mm07j.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 208.95.112.1
                                                                                  KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.95.112.1
                                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  xt.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  SALSGIVERUS8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.18
                                                                                  YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 147.185.221.18
                                                                                  dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.23
                                                                                  KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                  • 147.184.134.130
                                                                                  Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                                                  • 147.185.221.24
                                                                                  PowerRat.exeGet hashmaliciousAsyncRATBrowse
                                                                                  • 147.185.221.211

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\XClient.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):654
                                                                                  Entropy (8bit):5.380476433908377
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):0.34726597513537405
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlll:Nll
                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                  Malicious:false
                                                                                  Preview:@...e...........................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\fvbhdyuJYi.exe
                                                                                  File Type:Generic INItialization configuration [WIN]
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):3.6722687970803873
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                  Malicious:false
                                                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0j451w5x.33p.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y32nl0v.ll3.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h0jmgbn.jra.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhwophds.hzy.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1wavoya.qtg.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxsqnrij.nvz.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmcekmbx.eut.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejlh0kpo.x52.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2uweeok.k0c.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iog0ehxo.3aa.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5abzgo4.wib.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1ddux45.mkf.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_purdjdou.kag.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suqypm3t.nio.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sx34l3d0.es1.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmm1b3zd.yob.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\XClient.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\fvbhdyuJYi.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):59904
                                                                                  Entropy (8bit):5.8995486741763505
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:zrDSty9PcNQXj8tFvBEAT8FqAfEOy7bD9jkxo6pyYFOOhF7ZXOf:vJucItgi8fWbD9B6jFOOHFef
                                                                                  MD5:F10A238CB146D57EB93956DBC6769B20
                                                                                  SHA1:BD51C0F1AA78F671586F557DADF896747EFEF24A
                                                                                  SHA-256:8173D5D5F34B1DE85AD5DABE4B8C11F137AF490CA86488EA43527D1620388F55
                                                                                  SHA-512:318DAFE0DE31333D5ED0D204B17DDCA9D81A885EA1DE0974C5F23C2D3496BB4070D2A22F95125AA685D44C9CE0C02D75055B189070282A1C4722AC4B97002080
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\XClient.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\XClient.exe, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\XClient.exe, Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....mdg................................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........c..@.......&.....................................................(....*.r...p*. .(T.*..(....*.r!..p*. S...*.s.........s.........s.........s.........*.rA..p*. ....*.ra..p*.r...p*. ~.H.*.r...p*. ....*.r...p*. .x!.*..((...*.r...p*.r...p*. Q.O.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. -..*.r...p*. P...*.r?..p*. /?..*.r_..p*. ....*.r...p*.r...p*. VY..*.r...p*. .8F.*.r...p*.r..

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\fvbhdyuJYi.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:14:03 2024, mtime=Fri Dec 20 17:14:05 2024, atime=Fri Dec 20 17:14:03 2024, length=59904, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):960
                                                                                  Entropy (8bit):5.053137928537684
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8LoROIfC9ARABAqUme47e1bBJhBJFqygm:8EOLARASqUme461jh/cyg
                                                                                  MD5:98A4BD9ADFB393F8ECF06603F6996162
                                                                                  SHA1:2736FCE4D1E5BE8D673B31A1406EFC1AEA3F0F01
                                                                                  SHA-256:835AD9300577CEBCC8AA7283EFDB6EDCEE9B9EEE8F11C9658179362AF182D1CD
                                                                                  SHA-512:F930E31E5DCD22D41B8F8D56025F8CE9615E58327567515E712694867385DC32378521650D17827D188E75FBC386320A57842E430101001F6E078A0DE90A6F08
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... ........S....Z..S.......S..........................p.:..DG..Yr?.D..U..k0.&...&.......y.Yd...U.X..S..+.N..S......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y............................d...A.p.p.D.a.t.a...B.P.1......Y....Local.<......EW)B.Y...........................=...L.o.c.a.l.....b.2......Y. .XClient.exe.H......Y..Y......).....................1..X.C.l.i.e.n.t...e.x.e.......X...............-.......W.............-......C:\Users\user\AppData\Local\XClient.exe..#.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.X.C.l.i.e.n.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......128757...........hT..CrF.f4... ..rw".....,...E...hT..CrF.f4... ..rw".....,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):5.8995486741763505
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:fvbhdyuJYi.exe
                                                                                  File size:59'904 bytes
                                                                                  MD5:f10a238cb146d57eb93956dbc6769b20
                                                                                  SHA1:bd51c0f1aa78f671586f557dadf896747efef24a
                                                                                  SHA256:8173d5d5f34b1de85ad5dabe4b8c11f137af490ca86488ea43527d1620388f55
                                                                                  SHA512:318dafe0de31333d5ed0d204b17ddca9d81a885ea1de0974c5f23c2d3496bb4070d2a22f95125aa685d44c9ce0c02d75055b189070282a1c4722ac4b97002080
                                                                                  SSDEEP:768:zrDSty9PcNQXj8tFvBEAT8FqAfEOy7bD9jkxo6pyYFOOhF7ZXOf:vJucItgi8fWbD9B6jFOOHFef
                                                                                  TLSH:C4437D5C7BD54925D1FE9BB918F23212C734E6A39C13D62F68D901CE1B27A8CCA107E9
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....mdg................................. ........@.. .......................@............@................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x40fe2e
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x67646DB4 [Thu Dec 19 19:02:12 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xfde00x4b.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x4e6.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xde340xe000378c491fb0e1a9d171f1be5dbc256ea2False0.5769217354910714data5.991730348932005IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x100000x4e60x60062598b390e39321b7ab7cb67d73c602bFalse0.376953125data3.7452305339937935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x120000xc0x20028f177cc00843c7a452e97edf1ccc5e8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_VERSION0x100a00x25cdata0.46357615894039733
                                                                                  RT_MANIFEST0x102fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-20T19:14:22.645159+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849710147.185.221.2437020TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 20, 2024 19:13:05.093136072 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:13:05.214720964 CET8049706208.95.112.1192.168.2.8
                                                                                  Dec 20, 2024 19:13:05.214787006 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:13:05.215665102 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:13:05.335536003 CET8049706208.95.112.1192.168.2.8
                                                                                  Dec 20, 2024 19:13:06.335542917 CET8049706208.95.112.1192.168.2.8
                                                                                  Dec 20, 2024 19:13:06.391680956 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:14:01.897286892 CET8049706208.95.112.1192.168.2.8
                                                                                  Dec 20, 2024 19:14:01.897361994 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:14:09.999020100 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:10.118767977 CET3702049710147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:10.118908882 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:10.173940897 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:10.293442965 CET3702049710147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:22.645159006 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:22.765881062 CET3702049710147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:32.015774012 CET3702049710147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:32.015949965 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:35.485826015 CET4971037020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:35.487785101 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:35.605604887 CET3702049710147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:35.607319117 CET3702049711147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:35.607475042 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:35.641156912 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:35.760907888 CET3702049711147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:46.409346104 CET4970680192.168.2.8208.95.112.1
                                                                                  Dec 20, 2024 19:14:46.528861046 CET8049706208.95.112.1192.168.2.8
                                                                                  Dec 20, 2024 19:14:48.939495087 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:49.059138060 CET3702049711147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:57.532346964 CET3702049711147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:57.532480001 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:57.642177105 CET4971137020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:57.643233061 CET4971237020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:57.761877060 CET3702049711147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:57.762768030 CET3702049712147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:14:57.762953043 CET4971237020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:57.795090914 CET4971237020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:14:57.914542913 CET3702049712147.185.221.24192.168.2.8
                                                                                  Dec 20, 2024 19:15:10.017313957 CET4971237020192.168.2.8147.185.221.24
                                                                                  Dec 20, 2024 19:15:10.187136889 CET3702049712147.185.221.24192.168.2.8

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 20, 2024 19:13:04.948152065 CET5729753192.168.2.81.1.1.1
                                                                                  Dec 20, 2024 19:13:05.086611986 CET53572971.1.1.1192.168.2.8

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 20, 2024 19:13:04.948152065 CET192.168.2.81.1.1.10x15eStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 20, 2024 19:13:05.086611986 CET1.1.1.1192.168.2.80x15eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • ip-api.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.849706208.95.112.1807516C:\Users\user\Desktop\fvbhdyuJYi.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 20, 2024 19:13:05.215665102 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                  Host: ip-api.com
                                                                                  Connection: Keep-Alive
                                                                                  Dec 20, 2024 19:13:06.335542917 CET175INHTTP/1.1 200 OK
                                                                                  Date: Fri, 20 Dec 2024 18:13:05 GMT
                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                  Content-Length: 6
                                                                                  Access-Control-Allow-Origin: *
                                                                                  X-Ttl: 60
                                                                                  X-Rl: 44
                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                  Data Ascii: false


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:13:12:59
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\Desktop\fvbhdyuJYi.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\fvbhdyuJYi.exe"
                                                                                  Imagebase:0x780000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:F10A238CB146D57EB93956DBC6769B20
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2652211933.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2652211933.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1380244638.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:13:13:05
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fvbhdyuJYi.exe'
                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:13:13:05
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:13:13:12
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fvbhdyuJYi.exe'
                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:13:13:12
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:13:13:24
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:13:13:24
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:13:13:39
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:13:13:39
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:13:14:03
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Local\XClient.exe"
                                                                                  Imagebase:0x7ff74b7c0000
                                                                                  File size:235'008 bytes
                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:13:14:03
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6ee680000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:13:14:04
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Imagebase:0x620000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:F10A238CB146D57EB93956DBC6769B20
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\XClient.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\XClient.exe, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\XClient.exe, Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 87%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:13:14:13
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                                                                                  Imagebase:0x4c0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:F10A238CB146D57EB93956DBC6769B20
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:13:14:22
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                                                                                  Imagebase:0x1d0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:F10A238CB146D57EB93956DBC6769B20
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:13:15:01
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Users\user\AppData\Local\XClient.exe
                                                                                  Imagebase:0x6f0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:F10A238CB146D57EB93956DBC6769B20
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:23.5%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:8.1%
                                                                                    Total number of Nodes:37
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 4856 7ffb4aef9d98 4857 7ffb4aef9da1 SetWindowsHookExW 4856->4857 4859 7ffb4aef9e71 4857->4859 4864 7ffb4aefa584 4870 7ffb4aefa58d 4864->4870 4865 7ffb4aefa665 4879 7ffb4aef97f8 4865->4879 4866 7ffb4aefa631 4875 7ffb4aef97e8 4866->4875 4870->4865 4870->4866 4874 7ffb4aefa645 4876 7ffb4aef97f1 RtlSetProcessIsCritical 4875->4876 4878 7ffb4aef9932 4876->4878 4878->4874 4880 7ffb4aef97f7 RtlSetProcessIsCritical 4879->4880 4882 7ffb4aef9932 4880->4882 4883 7ffb4aef9808 4882->4883 4884 7ffb4aef97f7 RtlSetProcessIsCritical 4883->4884 4886 7ffb4aef9932 4884->4886 4887 7ffb4aef9818 4886->4887 4888 7ffb4aef97f7 4887->4888 4888->4887 4889 7ffb4aef98d2 RtlSetProcessIsCritical 4888->4889 4890 7ffb4aef9932 4889->4890 4890->4874 4891 7ffb4aefa663 4892 7ffb4aefa665 4891->4892 4893 7ffb4aef97f8 RtlSetProcessIsCritical 4892->4893 4894 7ffb4aefa672 4893->4894 4895 7ffb4aef9808 RtlSetProcessIsCritical 4894->4895 4896 7ffb4aefa67a 4895->4896 4897 7ffb4aef9818 RtlSetProcessIsCritical 4896->4897 4898 7ffb4aefa686 4897->4898 4860 7ffb4aef7a51 4861 7ffb4aef7a9e CheckRemoteDebuggerPresent 4860->4861 4863 7ffb4aef7b0f 4861->4863 4899 7ffb4aefb25e 4900 7ffb4aef9808 RtlSetProcessIsCritical 4899->4900 4901 7ffb4aefb2c0 4900->4901 4902 7ffb4aef9818 RtlSetProcessIsCritical 4901->4902 4903 7ffb4aefb2cc 4902->4903

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AEF16E9 Relevance: 1.9, Strings: 1, Instructions: 698COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CAO_^
                                                                                    • API String ID: 0-3111533842
                                                                                    • Opcode ID: f8918fcd7fd3371ba647621c893098a11063d557f51c08104ec31d33f1fb92f9
                                                                                    • Instruction ID: fd25d8faa414ad8387371a81b2c9e72479265d6d21fda1f4033701b7876aba0e
                                                                                    • Opcode Fuzzy Hash: f8918fcd7fd3371ba647621c893098a11063d557f51c08104ec31d33f1fb92f9
                                                                                    • Instruction Fuzzy Hash: 5B22C6A0B6DA099FE798FB3CC45977977D6FF88300F6445B9E44DC3282DE29A8428741
                                                                                    Function 00007FFB4AEF2361 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 64cc197cd1301ab912222258535f1eee60eac0221e5d0452e87e28b998242336
                                                                                    • Instruction ID: ed1f69f277b54d0c38644c3e156c969aea3419ad284e16fa84594f8ebd5fdc12
                                                                                    • Opcode Fuzzy Hash: 64cc197cd1301ab912222258535f1eee60eac0221e5d0452e87e28b998242336
                                                                                    • Instruction Fuzzy Hash: A0B1A2B0B5CA095FEB99FF38C8552B977D6FF98300F2441B9E45EC7292DE28A8424741
                                                                                    Function 00007FFB4AEF7A51 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 488 7ffb4aef7a51-7ffb4aef7b0d CheckRemoteDebuggerPresent 491 7ffb4aef7b15-7ffb4aef7b58 488->491 492 7ffb4aef7b0f 488->492 492->491
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                    • String ID:
                                                                                    • API String ID: 3662101638-0
                                                                                    • Opcode ID: 58ef75ae03ae7e860f8bcda1724b685f7dfd358c7b00894a5ac75e3eb3c0c419
                                                                                    • Instruction ID: 079ab742b5f908987883943b5cf5afed5db6459c30f4bbd719631425977e2d1b
                                                                                    • Opcode Fuzzy Hash: 58ef75ae03ae7e860f8bcda1724b685f7dfd358c7b00894a5ac75e3eb3c0c419
                                                                                    • Instruction Fuzzy Hash: 923113719087588FCB58DF58C88A7E9BBE0FF65311F0542AAD489D7252D734A842CB91
                                                                                    Function 00007FFB4AEF6096 Relevance: .5, Instructions: 470COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8d9bdc703c805cac200052fb282c3e13f6f4d3804bb30ba000b3c2684b95620
                                                                                    • Instruction ID: 7f903c39cfcd0c52249fbb3e45b87f95c99aaf706f451227ac0274795efb2ab7
                                                                                    • Opcode Fuzzy Hash: a8d9bdc703c805cac200052fb282c3e13f6f4d3804bb30ba000b3c2684b95620
                                                                                    • Instruction Fuzzy Hash: 83F1B57050CA8D8FEBA8EF28C8557E977D1FF58300F2442AEE85DC7291DB7499458B81
                                                                                    Function 00007FFB4AEF6E42 Relevance: .5, Instructions: 456COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c819052c32a7031365a02de266f38dad12b68464ecd912a08623186f78fc4782
                                                                                    • Instruction ID: c7df5f97630e67d120e04f425e650d412f5113cd76f4638780045d2d4bb86b50
                                                                                    • Opcode Fuzzy Hash: c819052c32a7031365a02de266f38dad12b68464ecd912a08623186f78fc4782
                                                                                    • Instruction Fuzzy Hash: AFE1C2B050CA4E8FEBA8EF28C8557E977D1FF54310F24426EE85DC7291DE74A8458B81
                                                                                    Function 00007FFB4AEF20C1 Relevance: .2, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3fa2231560d1429a796d912c71c53c9a0550d43fabb1e2d4844d65bb202b50d
                                                                                    • Instruction ID: e69de213a51101325cbc1a4ea32c221a24b3a27521e7da68129e1102153dc1fd
                                                                                    • Opcode Fuzzy Hash: a3fa2231560d1429a796d912c71c53c9a0550d43fabb1e2d4844d65bb202b50d
                                                                                    • Instruction Fuzzy Hash: E351249065E6C64FD797BB3888242757FD5EF87215B2800FAE0DDCB193DE084806C346
                                                                                    Function 00007FFB4AEF9718 Relevance: 1.9, APIs: 1, Instructions: 385COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: b0717fefba57d5058fb3c71685c885650e1a81920131dde0d31413eca5785747
                                                                                    • Instruction ID: d20f70903ff69a75a9f0ab5a90ffaaaf675557a810d67feafe9855f7689af9ba
                                                                                    • Opcode Fuzzy Hash: b0717fefba57d5058fb3c71685c885650e1a81920131dde0d31413eca5785747
                                                                                    • Instruction Fuzzy Hash: F9B144B290CB855FE715AEA898462B97FE4FF56314F2440BEE0CAC7183DA2468068791
                                                                                    Function 00007FFB4AEF9818 Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: bdf5813934b0036306b4968ab95b4ce0b331bac7938d8a9a1e2f8dc61bb8e54e
                                                                                    • Instruction ID: 6c03cda9cc457fb616303be907ecb17a63c27a697afad5711b9c4b6719137bda
                                                                                    • Opcode Fuzzy Hash: bdf5813934b0036306b4968ab95b4ce0b331bac7938d8a9a1e2f8dc61bb8e54e
                                                                                    • Instruction Fuzzy Hash: 895167B190CB858FE729EFA898456E9BFE0FF55310F2440BEE0CA83193DA245846C791
                                                                                    Function 00007FFB4AEF97F8 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 253 7ffb4aef97f8-7ffb4aef97fe 254 7ffb4aef97ff-7ffb4aef9849 253->254 263 7ffb4aef97f7-7ffb4aef97fa 254->263 264 7ffb4aef984b-7ffb4aef9930 RtlSetProcessIsCritical 254->264 263->254 265 7ffb4aef97fc-7ffb4aef97fe 263->265 271 7ffb4aef9938-7ffb4aef996d 264->271 272 7ffb4aef9932 264->272 265->254 272->271
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: 84d1be1a778388267c1760e3aa78817f0514a0a9e976c92a12555c94981f3d90
                                                                                    • Instruction ID: 381e8d51f7e4a9983c6644f173892790366ccb3801788381b6cabd2b9ef4bc49
                                                                                    • Opcode Fuzzy Hash: 84d1be1a778388267c1760e3aa78817f0514a0a9e976c92a12555c94981f3d90
                                                                                    • Instruction Fuzzy Hash: 4A5147B190CB858FE729EFAC98456E9BFE0FF55310F2441AEE0CAC3193DA245846C791
                                                                                    Function 00007FFB4AEF9808 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 274 7ffb4aef9808-7ffb4aef980f 275 7ffb4aef9811-7ffb4aef9849 274->275 282 7ffb4aef97f7-7ffb4aef97fa 275->282 283 7ffb4aef984b-7ffb4aef9930 RtlSetProcessIsCritical 275->283 284 7ffb4aef97ff-7ffb4aef980f 282->284 285 7ffb4aef97fc-7ffb4aef97fe 282->285 292 7ffb4aef9938-7ffb4aef996d 283->292 293 7ffb4aef9932 283->293 284->275 285->284 293->292
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: d141759ef2c70fb3ef6d8100c0a4d55dadccd2cde6554a963d0582d7e649306d
                                                                                    • Instruction ID: 1a8b58262e70c9cd727641982987e3b5011b1304463f70abd8d68848888e4e41
                                                                                    • Opcode Fuzzy Hash: d141759ef2c70fb3ef6d8100c0a4d55dadccd2cde6554a963d0582d7e649306d
                                                                                    • Instruction Fuzzy Hash: 7E4127B190CB858FE719AFACE8456E9BFE4FF55310F24416EE0CAC3182DA246846C791
                                                                                    Function 00007FFB4AEF9D98 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 400 7ffb4aef9d98-7ffb4aef9d9f 401 7ffb4aef9daa-7ffb4aef9e1d 400->401 402 7ffb4aef9da1-7ffb4aef9da9 400->402 405 7ffb4aef9ea9-7ffb4aef9ead 401->405 406 7ffb4aef9e23-7ffb4aef9e30 401->406 402->401 407 7ffb4aef9e32-7ffb4aef9e6f SetWindowsHookExW 405->407 406->407 408 7ffb4aef9e77-7ffb4aef9ea8 407->408 409 7ffb4aef9e71 407->409 409->408
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2668127859.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffb4aef0000_fvbhdyuJYi.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 114578ee4ad71591f3eae0fc371742f2fb9d7dcf9dfad64f6a73246c10323a1d
                                                                                    • Instruction ID: 8b6e935497d8080d073d7b012b9b6c7372e35b44af547fd766c8c30ee62026a0
                                                                                    • Opcode Fuzzy Hash: 114578ee4ad71591f3eae0fc371742f2fb9d7dcf9dfad64f6a73246c10323a1d
                                                                                    • Instruction Fuzzy Hash: 30310A70A0CA498FDB18EF6CD8466F9BBE1EB59311F10427EE059C3292CA65A812C7C1

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AFC6605 Relevance: 6.7, Strings: 5, Instructions: 448COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499874212.00007FFB4AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4afc0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (B K$(B K$(B K$(B K$(B K
                                                                                    • API String ID: 0-4293165076
                                                                                    • Opcode ID: ce607142a0bd05693f93ca6325b734bffea9710582b03cb9cabb169632d813ae
                                                                                    • Instruction ID: e80a36c8cb4c5ef6f2372c2713bcfb08601200496ba599dda8f9bd0d46d05181
                                                                                    • Opcode Fuzzy Hash: ce607142a0bd05693f93ca6325b734bffea9710582b03cb9cabb169632d813ae
                                                                                    • Instruction Fuzzy Hash: 85D124A290EB894FE796AF7988591B57FE5FF56210F2801FED48DCB0C3DA189805C351
                                                                                    Function 00007FFB4AFC4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499874212.00007FFB4AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4afc0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8> K
                                                                                    • API String ID: 0-1319402354
                                                                                    • Opcode ID: a8ba62ec87863fd00b71faf8a3bdb3219c4ca2ddc7dec3d6c0812e5a6e5bdfa2
                                                                                    • Instruction ID: 3dadd516108762b03cdc2e6b4255453fe9553278236fa8d62ff8a6368b07cc2c
                                                                                    • Opcode Fuzzy Hash: a8ba62ec87863fd00b71faf8a3bdb3219c4ca2ddc7dec3d6c0812e5a6e5bdfa2
                                                                                    • Instruction Fuzzy Hash: E55124A2A4CA4A4FE79AEE2DC55567577E6FF94222F2800FAC08DC71D7DD14EC058381
                                                                                    Function 00007FFB4AFC4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499874212.00007FFB4AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4afc0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p> K
                                                                                    • API String ID: 0-268700576
                                                                                    • Opcode ID: 0e05e33ab6995ad54aabd5d04344370902630b010028b8d1a465413b52f080b2
                                                                                    • Instruction ID: 50b6c96928a8af89fc15397073a5dfc478ed28e6d021f50b26c82d56d05af6f9
                                                                                    • Opcode Fuzzy Hash: 0e05e33ab6995ad54aabd5d04344370902630b010028b8d1a465413b52f080b2
                                                                                    • Instruction Fuzzy Hash: F14124A2A1DA494FE7A9EE3CD8556B977D5FF84321F2800FAD44EC31C7D914AC058391
                                                                                    Function 00007FFB4AFC40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499874212.00007FFB4AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4afc0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8> K
                                                                                    • API String ID: 0-1319402354
                                                                                    • Opcode ID: 2ef97c619f3536b5ba3b2a4e941d647aaa60dc3733f72e9ce3c21d089abfc844
                                                                                    • Instruction ID: 71bf0a4be1c74e6cb41fc4570373df9c7a3effa6ee094c94f0155ad0cc0c3737
                                                                                    • Opcode Fuzzy Hash: 2ef97c619f3536b5ba3b2a4e941d647aaa60dc3733f72e9ce3c21d089abfc844
                                                                                    • Instruction Fuzzy Hash: 602125A2A8DA474FE7AAEE2DC55913467D9FF60312F6900F9D09DC71E6CD18DC058341
                                                                                    Function 00007FFB4AFC43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499874212.00007FFB4AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4afc0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p> K
                                                                                    • API String ID: 0-268700576
                                                                                    • Opcode ID: 390ae8bf6e2c7820286a89b6365dac88207654f40e791d0d09cc50d6a9154233
                                                                                    • Instruction ID: 7aa3456aa38e9174635f76a01462c578affe0880dea886812e199fe16e9f21cb
                                                                                    • Opcode Fuzzy Hash: 390ae8bf6e2c7820286a89b6365dac88207654f40e791d0d09cc50d6a9154233
                                                                                    • Instruction Fuzzy Hash: 321102B2A1D9494FE7A4EE2DD4995B477D9FF84322B6900F6E44DC31DADD18AC008391
                                                                                    Function 00007FFB4AEF9EF3 Relevance: .2, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499327679.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4aef0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ae55d543bbbdbc107fe5aab38c27f433b16756edecd93e3c93eb7f525f029bf
                                                                                    • Instruction ID: 8a31d382f5abfbc9ad7fb5602b9a1fc86fd9d2c99af04e87eb2ec05b968cb9cb
                                                                                    • Opcode Fuzzy Hash: 7ae55d543bbbdbc107fe5aab38c27f433b16756edecd93e3c93eb7f525f029bf
                                                                                    • Instruction Fuzzy Hash: C47127A3A0DA951FE302BF7CECB60E57BE0EF1126974841F2CA98CB163EC1560178791
                                                                                    Function 00007FFB4AEF9768 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499327679.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4aef0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c0c0e1bef7750ddd5e63d3bcbf1aa3cae616bdc53808b99a5a780a4cbd58d0b
                                                                                    • Instruction ID: 064215b9d972b1310e345cb6b6cb2158cad986539d5f3c7d47aafe3ed6d2ff73
                                                                                    • Opcode Fuzzy Hash: 3c0c0e1bef7750ddd5e63d3bcbf1aa3cae616bdc53808b99a5a780a4cbd58d0b
                                                                                    • Instruction Fuzzy Hash: AE31077191CB4C9FDB18AF5CE8066E97BE0FB99310F10426FE449D3291DA70A856CBC2
                                                                                    Function 00007FFB4ADDE380 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1498948265.00007FFB4ADDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADDD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4addd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b1f6c43ab2201ad79fde7c47cf8059f65658d528b6fab38990099e46376e04a
                                                                                    • Instruction ID: f9359e34827a38411b5bf9b7637a4ed453ff6ae24cf6df2df3430595437a8c23
                                                                                    • Opcode Fuzzy Hash: 2b1f6c43ab2201ad79fde7c47cf8059f65658d528b6fab38990099e46376e04a
                                                                                    • Instruction Fuzzy Hash: CE41267050DBC44FE7569F38D8459A23FB4EF52325B2905EFD088CB1A3DA25E846C792
                                                                                    Function 00007FFB4AEFA47C Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499327679.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4aef0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8f9dc985dbe663f7185b41a4c186c05a9b9cb774bc72597df1544cb8afbe0c6d
                                                                                    • Instruction ID: a5a60eeb42a31077b103c0c0c4ae2d76c8b583e66d184d025e2710f2867e8ad9
                                                                                    • Opcode Fuzzy Hash: 8f9dc985dbe663f7185b41a4c186c05a9b9cb774bc72597df1544cb8afbe0c6d
                                                                                    • Instruction Fuzzy Hash: B621287090CB4C8FDB59EFACD84A7E97FE0EB9A321F14416BD048C7152DA74A416CB92
                                                                                    Function 00007FFB4AEF33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499327679.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4aef0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction ID: c264d9109303a474792d3eb3da31d8bb9b3d8ba38ce0b451e1a622caa1638942
                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction Fuzzy Hash: 8A01A77011CB0C8FD744EF0CE051AA5B3E0FB85364F10056EE59AC3661DA32E882CB41

                                                                                    Non-executed Functions

                                                                                    Function 00007FFB4AEF8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1499327679.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffb4aef0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: N_^4$N_^7$N_^F$N_^J
                                                                                    • API String ID: 0-3508309026
                                                                                    • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                    • Instruction ID: e985838cdbf39220d6e0f1c425ecfab7a0ec59ddf63e3b8a14458472142a5203
                                                                                    • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                    • Instruction Fuzzy Hash: 052107B7709425AEE3137BBCEC155D937C4DB9823474541F2D299CB143E92460878AD2

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AFE6605 Relevance: 6.7, Strings: 5, Instructions: 443COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1619306069.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (B"K$(B"K$(B"K$(B"K$(B"K
                                                                                    • API String ID: 0-1276785767
                                                                                    • Opcode ID: 85009df302c75b969ca16a92020b157f8a68a70ff9cd3059dc1575b22f17df4d
                                                                                    • Instruction ID: 538f481e0e9a1c1db7b4b8df0981037f22ea4da93a7e26064682abec3ecb1e6f
                                                                                    • Opcode Fuzzy Hash: 85009df302c75b969ca16a92020b157f8a68a70ff9cd3059dc1575b22f17df4d
                                                                                    • Instruction Fuzzy Hash: FFD144A291EBCD2FE796AF7888555B67FE5EF16210B1801FED48DCB0C3DA189805C391
                                                                                    Function 00007FFB4AFE4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1619306069.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>"K
                                                                                    • API String ID: 0-2089949680
                                                                                    • Opcode ID: 83f4be87acf56de495416f8e804c1d2ede56c639de151c4ee78ad41669d5421d
                                                                                    • Instruction ID: 2098b8024bdf72b46f92214d0696d768601d924e2c4b56acfe9de7bc8e3d48cd
                                                                                    • Opcode Fuzzy Hash: 83f4be87acf56de495416f8e804c1d2ede56c639de151c4ee78ad41669d5421d
                                                                                    • Instruction Fuzzy Hash: 0F516A72A0CA465FEB9AEE2CC55167677D6EF94312B2800FEC14DC71D2DD1AEC058341
                                                                                    Function 00007FFB4AFE4370 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1619306069.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p>"K
                                                                                    • API String ID: 0-573729058
                                                                                    • Opcode ID: 46ae62cafce7536cfcaf81fc79ae5ba793d4bd6349d2d2f4b1bf0e7fb28a219a
                                                                                    • Instruction ID: 56c8afd08339a1523104bc5a775374853d9b04e84163a03a6fb87e3e83e1a233
                                                                                    • Opcode Fuzzy Hash: 46ae62cafce7536cfcaf81fc79ae5ba793d4bd6349d2d2f4b1bf0e7fb28a219a
                                                                                    • Instruction Fuzzy Hash: FB414372A1DA495FEBA9EE3CD8416BA77D5EF84321B1801FED44EC31C3D916AC018381
                                                                                    Function 00007FFB4AFE40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1619306069.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>"K
                                                                                    • API String ID: 0-2089949680
                                                                                    • Opcode ID: 106fac6501de1595cbbf93979812beddc308bdc89bcc3bb6b76b8d34e72f39fb
                                                                                    • Instruction ID: 14a7acafef20e3a0e341b19cd09b401618fdd3f4b17a77a8e4a039bd425170c3
                                                                                    • Opcode Fuzzy Hash: 106fac6501de1595cbbf93979812beddc308bdc89bcc3bb6b76b8d34e72f39fb
                                                                                    • Instruction Fuzzy Hash: 5E2128A3A4DA476FEBAAEE2CC65117666CAEF54312B6800FDD14DC71D2CD1ADC058241
                                                                                    Function 00007FFB4AFE43BC Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1619306069.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p>"K
                                                                                    • API String ID: 0-573729058
                                                                                    • Opcode ID: d4b950c129ac05159d377ad5e7e586b0a5d814cde5cd55ecebae28108e9d67c2
                                                                                    • Instruction ID: 5a2c5bb094db9e11b785bf119b09d5a5f4812073aac1318cdfeafe20636adc47
                                                                                    • Opcode Fuzzy Hash: d4b950c129ac05159d377ad5e7e586b0a5d814cde5cd55ecebae28108e9d67c2
                                                                                    • Instruction Fuzzy Hash: 9A11E1B2A1D9455FE7A8EF28D4905B977D9FF44321B6801F9D44EC75D2C91AAC408281
                                                                                    Function 00007FFB4AF1A73C Relevance: .1, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1618548775.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 69c32a4a21ab5cb28278df8bf39afa8bf1f4f13775eadd1d3a876201b34d4c61
                                                                                    • Instruction ID: eec1122ee68c48b9ce928a73cea2a13438f142b828f9230c381e813eef0a32fa
                                                                                    • Opcode Fuzzy Hash: 69c32a4a21ab5cb28278df8bf39afa8bf1f4f13775eadd1d3a876201b34d4c61
                                                                                    • Instruction Fuzzy Hash: B831567190DB8C4FEB58EFA8D8496F97FE0EB66320F0442AFD048C7092C5655806C792
                                                                                    Function 00007FFB4AF19780 Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1618548775.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 347ad4ad0bec653598e138b90dfd2ae16595ae6d326e90e3aa66fc5ff5de68ce
                                                                                    • Instruction ID: 57ae254c5a195a4368745c523dc3db97cc99caad267f70f3a4277aa6afdc6c9a
                                                                                    • Opcode Fuzzy Hash: 347ad4ad0bec653598e138b90dfd2ae16595ae6d326e90e3aa66fc5ff5de68ce
                                                                                    • Instruction Fuzzy Hash: 3E31B37191CB884FDB189F5C9C466A97FE0FB99311F04426FE449D3692CA60A855CBC2
                                                                                    Function 00007FFB4ADFED40 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1617743719.00007FFB4ADFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADFD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4adfd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f43dbe5fae3aab55478bed0a816c2f157e3f982ec4630e2854f720e9ee8eb38d
                                                                                    • Instruction ID: 33d43a92a749eaa12f231cf349b9411b32b0010d7f3ce00b2f9b0dbc921bd5e1
                                                                                    • Opcode Fuzzy Hash: f43dbe5fae3aab55478bed0a816c2f157e3f982ec4630e2854f720e9ee8eb38d
                                                                                    • Instruction Fuzzy Hash: 3B41F57140EBC44FD7569F39DC419523FF4EF56220B2906DFE088CB5A3DA29A846C792
                                                                                    Function 00007FFB4AF133B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1618548775.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction ID: 3409743b600f5b2570042da79bb0597e1206ff838ff62a3ae5070f42711164ea
                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction Fuzzy Hash: 3201677111CB0C8FDB44EF0CE451AB5B7E0FB95364F10056EE58AC36A5DA36E882CB45
                                                                                    Function 00007FFB4AF1A0FB Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1618548775.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47cfcee1117112acb0f68ab18adf9cd8162e5d147c3b0cffdcd3d8826725785c
                                                                                    • Instruction ID: ccb5e95a3e72b869078da0f133dd299a9e1e0c9ff1163fc38aa478fa76c12931
                                                                                    • Opcode Fuzzy Hash: 47cfcee1117112acb0f68ab18adf9cd8162e5d147c3b0cffdcd3d8826725785c
                                                                                    • Instruction Fuzzy Hash: 2EF0C8BA509A8C4FD741FF2CD8550E47F90EF6525175402A7D048C71A1D6219C088BC1

                                                                                    Non-executed Functions

                                                                                    Function 00007FFB4AF18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1618548775.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                                    • API String ID: 0-1415242001
                                                                                    • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                                    • Instruction ID: 6ed034a85d5460f04c9c372dcd748b514365e35c3229b5fb7d8097ec617c7766
                                                                                    • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                                    • Instruction Fuzzy Hash: 1321F5B37049159ED2133A7DF8425ED67C4DB5837834591F3E618CF113DB25A48B8A90

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AFE6605 Relevance: 6.7, Strings: 5, Instructions: 445COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767829723.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (B#K$(B#K$(B#K$(B#K$(B#K
                                                                                    • API String ID: 0-4166905214
                                                                                    • Opcode ID: 3e1b3f5abe2d93c845fbd8192526280bf80f6ad5c4724f027853d8eefa1afb57
                                                                                    • Instruction ID: ab24d4ab53f0c7e2e0fe55a6c0311a8682a16eaec8794a61c7905839b113e32a
                                                                                    • Opcode Fuzzy Hash: 3e1b3f5abe2d93c845fbd8192526280bf80f6ad5c4724f027853d8eefa1afb57
                                                                                    • Instruction Fuzzy Hash: 98D144A291EACE5FEBD6AF78C8555B67FE5EF16210B2801FAD44CCB0C3DA189805C351
                                                                                    Function 00007FFB4AFE4004 Relevance: 2.9, Strings: 2, Instructions: 375COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767829723.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>#K$8>#K
                                                                                    • API String ID: 0-149000428
                                                                                    • Opcode ID: 6d8313ba979a519766fa89597b524d8d327e58828d8f78a7a605a8c66a080aee
                                                                                    • Instruction ID: cbf1acd48e70631a9a7c0ffa32408e563a33ada89df35975d00db4ef76e16910
                                                                                    • Opcode Fuzzy Hash: 6d8313ba979a519766fa89597b524d8d327e58828d8f78a7a605a8c66a080aee
                                                                                    • Instruction Fuzzy Hash: D1B135A290DBCA5FE756AE3888251763FE5DF96212B1901FFC08DC71D3DD1A9C068352
                                                                                    Function 00007FFB4AFE4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767829723.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p>#K
                                                                                    • API String ID: 0-992565347
                                                                                    • Opcode ID: 84ac0ad861fb1fe4dac11ff017d23c014282d64fa5f1d0a4b3da7ecccad21922
                                                                                    • Instruction ID: 9a5cb57217d5a9c0c537804dfeb469ef99af1af3e5ce2e9fb9aa0a484b915bc5
                                                                                    • Opcode Fuzzy Hash: 84ac0ad861fb1fe4dac11ff017d23c014282d64fa5f1d0a4b3da7ecccad21922
                                                                                    • Instruction Fuzzy Hash: 4D416862A1DA495FE7A9EE3CD8006B67BD5EF44321B1800FEC44EC31C3E916EC018391
                                                                                    Function 00007FFB4AFE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767829723.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>#K
                                                                                    • API String ID: 0-1703487665
                                                                                    • Opcode ID: 1910fee1e98fea64ffe600d779c9df6f2e9f985ecba9412c3bbf68f265b59539
                                                                                    • Instruction ID: 7b1e65d65b32c6abf6754dde6a4342a0a626fb42131a03f10939b3793aeffe0b
                                                                                    • Opcode Fuzzy Hash: 1910fee1e98fea64ffe600d779c9df6f2e9f985ecba9412c3bbf68f265b59539
                                                                                    • Instruction Fuzzy Hash: 222125A2A0DA475FEBAAEE28C55113666D9EF54212B6900FED05DC71E2CD1EDC008342
                                                                                    Function 00007FFB4AFE43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767829723.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p>#K
                                                                                    • API String ID: 0-992565347
                                                                                    • Opcode ID: fe0e9f46c1654072f6d9532676edfa3b1b8b654ffa588318082f3c45b8645ef3
                                                                                    • Instruction ID: 0fddfa414678a0db9866a040758b9e0f2ecf38e8c70b280213a970cf49fc26fe
                                                                                    • Opcode Fuzzy Hash: fe0e9f46c1654072f6d9532676edfa3b1b8b654ffa588318082f3c45b8645ef3
                                                                                    • Instruction Fuzzy Hash: 791132B2E1EA895FE7A4EF38D4505B93BE8EF4032272800FED44DC71D2D91AAC008352
                                                                                    Function 00007FFB4AF19D38 Relevance: .2, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f13ffc077ad35f9a56e27a00020cee4686fed515e0bd7835fd0692923c09ee35
                                                                                    • Instruction ID: e6dc3ed3d99fd568ea90bab2492d230b8f438b84d0c745bddd16cb8b07f0b163
                                                                                    • Opcode Fuzzy Hash: f13ffc077ad35f9a56e27a00020cee4686fed515e0bd7835fd0692923c09ee35
                                                                                    • Instruction Fuzzy Hash: 45F0897580C98C8FDF55EF28D4195B47FE0FF25201B5402EBD44DC71A1E6659D18CB81
                                                                                    Function 00007FFB4AF19768 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51d88093d1d27988f355824e7e068bf00fe9535bf156d6a8ca77457d1e9dea8f
                                                                                    • Instruction ID: 6af260def68e7d15f871059cb6903334e31ccd1c551e2c16dda113be931c92f1
                                                                                    • Opcode Fuzzy Hash: 51d88093d1d27988f355824e7e068bf00fe9535bf156d6a8ca77457d1e9dea8f
                                                                                    • Instruction Fuzzy Hash: 5531C77191CB488FDB5C9F5CA8466B97BE0FB99310F00426FE449D3291DA20A855CBC2
                                                                                    Function 00007FFB4ADFE540 Relevance: .1, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1765621447.00007FFB4ADFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADFD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4adfd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 17188db1ac0e67c17c987f0d22c5553e1ca7687063783fbd14a598943182b945
                                                                                    • Instruction ID: 5010ed7dde8cda170c8686cc44d5b1d995b4257b143f418a6ab1553d6c1d7d2f
                                                                                    • Opcode Fuzzy Hash: 17188db1ac0e67c17c987f0d22c5553e1ca7687063783fbd14a598943182b945
                                                                                    • Instruction Fuzzy Hash: 1B41137140DBC44FE7569F38D8519523FF0EF56224B2906DFE088CB1A3DA25A84AC792
                                                                                    Function 00007FFB4AF1A62C Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0551957b3c66b314328bd66c525a80421e29d64968cc0500167b9551887f9f7
                                                                                    • Instruction ID: f35653897064a58b217f5372550dd9fe4392d0c58f88b4b2e536c7c005755061
                                                                                    • Opcode Fuzzy Hash: e0551957b3c66b314328bd66c525a80421e29d64968cc0500167b9551887f9f7
                                                                                    • Instruction Fuzzy Hash: A021E67190CB4C4FDB59DF68D84A7E97FE0EB96321F04426BD048C3152DA74941ACB91
                                                                                    Function 00007FFB4AF133B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction ID: 3409743b600f5b2570042da79bb0597e1206ff838ff62a3ae5070f42711164ea
                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction Fuzzy Hash: 3201677111CB0C8FDB44EF0CE451AB5B7E0FB95364F10056EE58AC36A5DA36E882CB45
                                                                                    Function 00007FFB4AF1A2A9 Relevance: .0, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cb345cfac7e3a317ba4c2cc94ae784e2e7e59a994764184e4f01d086cddd9fda
                                                                                    • Instruction ID: e9135b4f38859aa8737b92c5d5b9f130cb7b228e7703824e21dea9b1f7a1a8b2
                                                                                    • Opcode Fuzzy Hash: cb345cfac7e3a317ba4c2cc94ae784e2e7e59a994764184e4f01d086cddd9fda
                                                                                    • Instruction Fuzzy Hash: A4E01A75808A8C8F9B54EF58D8598E97FA0FB68211B40429BE80DC7161EB719958CBC2

                                                                                    Non-executed Functions

                                                                                    Function 00007FFB4AF18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.1767075417.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                    • API String ID: 0-3225005683
                                                                                    • Opcode ID: c434990ae4357702e856ca0a540c798ab97805ed6931bb80417326eb2dd8eeba
                                                                                    • Instruction ID: d813ed41177c9995e3801f896db18595d6a750c21ebf4c7e228761fd13ed4668
                                                                                    • Opcode Fuzzy Hash: c434990ae4357702e856ca0a540c798ab97805ed6931bb80417326eb2dd8eeba
                                                                                    • Instruction Fuzzy Hash: E52107B77084259EE2137BBDF8055ED37C4CB9823434591F2D2998B043EA2560878EE0

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AFE660A Relevance: 8.0, Strings: 6, Instructions: 460COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1998146084.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (B"K$(B"K$(B"K$(B"K$(B"K$X7=a
                                                                                    • API String ID: 0-2491765237
                                                                                    • Opcode ID: 6c58d87564db4ea9e63e4a88854ef47ffdc3bac3b58affbae0d164659aa1b5d8
                                                                                    • Instruction ID: 5f78868631f52ca0318dce1f8696b4bf02ad20398665733c29f43aa840046d2a
                                                                                    • Opcode Fuzzy Hash: 6c58d87564db4ea9e63e4a88854ef47ffdc3bac3b58affbae0d164659aa1b5d8
                                                                                    • Instruction Fuzzy Hash: D0D144A2A0EA8E5FEB95EF78C8555B67BE5EF16210B2801FAD44CCB0D3DA189C05C351
                                                                                    Function 00007FFB4AFE4031 Relevance: 4.4, Strings: 3, Instructions: 605COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1998146084.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>"K$8>"K$p>"K
                                                                                    • API String ID: 0-4233786585
                                                                                    • Opcode ID: 54d34ec503bc53d60329c489a4f8203fbb200708839654e51a9cc648770db124
                                                                                    • Instruction ID: 654197912aa03aeb50ddc8dcfbd7160ac472e37e99f998ad65d08d21b2c7311e
                                                                                    • Opcode Fuzzy Hash: 54d34ec503bc53d60329c489a4f8203fbb200708839654e51a9cc648770db124
                                                                                    • Instruction Fuzzy Hash: 230269A2A0DB891FE796AE38C8151B63BE5EF92221B1901FFD04DC71D3DD19AC06C391
                                                                                    Function 00007FFB4AFE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1998146084.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8>"K
                                                                                    • API String ID: 0-2089949680
                                                                                    • Opcode ID: cb9068d251a4de3151a7d8e81eebda5ccda2ce1e87600219d0d436cf49fce76a
                                                                                    • Instruction ID: bea2d08b84a7b1dc585a9be6bb0111aca50c1149f1457918146ed3404a8f1e5f
                                                                                    • Opcode Fuzzy Hash: cb9068d251a4de3151a7d8e81eebda5ccda2ce1e87600219d0d436cf49fce76a
                                                                                    • Instruction Fuzzy Hash: 472136A3D4DA476FEBAAEE2CC55117666D9EF54212B6900FEC05DC71E2CD1DDC008342
                                                                                    Function 00007FFB4AFE43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1998146084.00007FFB4AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4afe0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p>"K
                                                                                    • API String ID: 0-573729058
                                                                                    • Opcode ID: 08c51a1c18ecf81b587077ae0a129b442ec6b212f9aad37f4388e64616c84f6a
                                                                                    • Instruction ID: 4e038fcf7a2066c174316b9439213ff7531c12bd624d24711701b83bbbbe44ad
                                                                                    • Opcode Fuzzy Hash: 08c51a1c18ecf81b587077ae0a129b442ec6b212f9aad37f4388e64616c84f6a
                                                                                    • Instruction Fuzzy Hash: 661132B2A1EA495FE3A8EF78D8504B93BE9FF4432172900FAD44EC71D2C919AC008352
                                                                                    Function 00007FFB4AF1644D Relevance: .7, Instructions: 662COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 151437b0e458008132f75a7f1ccce77362ae65ce001ca2dfd10c0354e0b03ecf
                                                                                    • Instruction ID: 135a664d6ddf131b5b4b32b9e5e2b5f7b0257cede3f10ede0c1ae7509c0ffcd0
                                                                                    • Opcode Fuzzy Hash: 151437b0e458008132f75a7f1ccce77362ae65ce001ca2dfd10c0354e0b03ecf
                                                                                    • Instruction Fuzzy Hash: B1C16171A0CA4D8FDF95EF68C455AA9BBE1FF58310F2441AAD409D7296CB34EC41CB80
                                                                                    Function 00007FFB4AF1A0E0 Relevance: .3, Instructions: 266COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9bf2e2cd1e00ac927fe95b720ce96e465b695d92b25d7b04e7d0c85a8d8e2773
                                                                                    • Instruction ID: 4ba68e43608ea2ea1dcef6eabc97daeaeba3fdac82a42da9da57aa2af7af048e
                                                                                    • Opcode Fuzzy Hash: 9bf2e2cd1e00ac927fe95b720ce96e465b695d92b25d7b04e7d0c85a8d8e2773
                                                                                    • Instruction Fuzzy Hash: 37215BA690EBC54FD753AB38A8650E47FF0EF1321575901E7D088CB0A3D9195C098B92
                                                                                    Function 00007FFB4AF1A9D8 Relevance: .3, Instructions: 262COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd204748f7e63895ce296cbf7206c7cacd262cc3a75d8e5cf1d47c0e9faa757e
                                                                                    • Instruction ID: cebbcae06b1551e2b6d57c9f5d9adbc71073abcb94330b3c210250b2d4bcca56
                                                                                    • Opcode Fuzzy Hash: fd204748f7e63895ce296cbf7206c7cacd262cc3a75d8e5cf1d47c0e9faa757e
                                                                                    • Instruction Fuzzy Hash: 337104B250CB854FE306EE38D8D54B47FD1EF5235576802EAD089CB1D3E926AC478752
                                                                                    Function 00007FFB4AF19D58 Relevance: .2, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b8a53f6a8633d0e74efa9383299e5171da687fc59587fc08adf5fc087ec2425
                                                                                    • Instruction ID: 342715460b18d7136a183e213593e5d906c70154640b31f7579f09035aed1624
                                                                                    • Opcode Fuzzy Hash: 0b8a53f6a8633d0e74efa9383299e5171da687fc59587fc08adf5fc087ec2425
                                                                                    • Instruction Fuzzy Hash: 0CF0BE7180CA8C8FCB41AF28C8195A87FE0FF25300B5002EBE409CB0A1DB659C088BC1
                                                                                    Function 00007FFB4AF1A8EC Relevance: .1, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c269230f5fafec91b3b95a5d663f65ea2cc749275c2dc51223f8f7d16cc867c3
                                                                                    • Instruction ID: efa944e2218f4137ea3d7e3831d61ccc68a35737ef59515b2cc0b95094b995a2
                                                                                    • Opcode Fuzzy Hash: c269230f5fafec91b3b95a5d663f65ea2cc749275c2dc51223f8f7d16cc867c3
                                                                                    • Instruction Fuzzy Hash: 9C31367190DB8C4FEB59EFA8E84A6F97FE0EB56320F0442AFD048C7193D9645846C792
                                                                                    Function 00007FFB4AF19780 Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2dfc404e2f29c39bf79e0f7dee0b33c8867cdd6ba74053086ae688b816e9a76c
                                                                                    • Instruction ID: b6d719d128ccd3a9676f66a5ad0dc372dc7b86290a1b8dc2e4f631f3860f62b8
                                                                                    • Opcode Fuzzy Hash: 2dfc404e2f29c39bf79e0f7dee0b33c8867cdd6ba74053086ae688b816e9a76c
                                                                                    • Instruction Fuzzy Hash: 7C31E37191CB888FDB589F5CAC466B97FE0FB99310F04426FE449D3292CA70A815CBC2
                                                                                    Function 00007FFB4ADFEF00 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1986657729.00007FFB4ADFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADFD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4adfd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 853ca5a3cfe7bff26138c3430ff6670d57f65ced50857e67fe984677a2c07c80
                                                                                    • Instruction ID: 57cd1ac1bbc117729f69ce3d97c202f60563da2efb16f1eaa78b5db3c8147ea1
                                                                                    • Opcode Fuzzy Hash: 853ca5a3cfe7bff26138c3430ff6670d57f65ced50857e67fe984677a2c07c80
                                                                                    • Instruction Fuzzy Hash: 8E41C37180DBC44FE7569F39D8559523FB0EF57220B2906DFE088CB1A3DA29A846C792
                                                                                    Function 00007FFB4AF133B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction ID: 3409743b600f5b2570042da79bb0597e1206ff838ff62a3ae5070f42711164ea
                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                    • Instruction Fuzzy Hash: 3201677111CB0C8FDB44EF0CE451AB5B7E0FB95364F10056EE58AC36A5DA36E882CB45

                                                                                    Non-executed Functions

                                                                                    Function 00007FFB4AF18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.1988060373.00007FFB4AF15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF15000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4af15000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                                    • API String ID: 0-1415242001
                                                                                    • Opcode ID: e9a238c2f47e9c446b04d8d503f17100e81cd5345d998f6a73c1cadda3ada46e
                                                                                    • Instruction ID: 6ed034a85d5460f04c9c372dcd748b514365e35c3229b5fb7d8097ec617c7766
                                                                                    • Opcode Fuzzy Hash: e9a238c2f47e9c446b04d8d503f17100e81cd5345d998f6a73c1cadda3ada46e
                                                                                    • Instruction Fuzzy Hash: 1321F5B37049159ED2133A7DF8425ED67C4DB5837834591F3E618CF113DB25A48B8A90

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AEF16E9 Relevance: .7, Instructions: 699COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c9308168afb2c28746eb4df8cf6bc637fcfd6b0c3186cc669ca928ae2fb67c80
                                                                                    • Instruction ID: d2862260e37c02fb7f9c3f34eab8cf0c0b2a00f01a2a8b5c4edd9e75a2e6caae
                                                                                    • Opcode Fuzzy Hash: c9308168afb2c28746eb4df8cf6bc637fcfd6b0c3186cc669ca928ae2fb67c80
                                                                                    • Instruction Fuzzy Hash: 6622C5A0B6DA095FE799FB38C4597B9B7D6FF88300F6445B9E40DC32C2DE29A8018751
                                                                                    Function 00007FFB4AEF0E5E Relevance: .3, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 726f2227de31ca1ac529e4216cc13a77bf15437f8118bf5c4aef99c2b1302d14
                                                                                    • Instruction ID: 5e074e3e066f6b9ee87598e75950d648762b3fad7659d008207834dbbedf5308
                                                                                    • Opcode Fuzzy Hash: 726f2227de31ca1ac529e4216cc13a77bf15437f8118bf5c4aef99c2b1302d14
                                                                                    • Instruction Fuzzy Hash: 0C711852B0EA961EF353B67CE4161E92BD5DF8A230B0881FBE4CDCA093DC1968478765
                                                                                    Function 00007FFB4AEF20C1 Relevance: .2, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 23ad7fcfddb62965b3198eda24a09534033fc751861bf5da9bd42091c77d9f82
                                                                                    • Instruction ID: 69e2d1dcef56c92021b419ec21186a127a85d3801e35e2e15fb8c75ee733fe6a
                                                                                    • Opcode Fuzzy Hash: 23ad7fcfddb62965b3198eda24a09534033fc751861bf5da9bd42091c77d9f82
                                                                                    • Instruction Fuzzy Hash: 34512490A5E6C64FD797BB3888242757FD5EF87215B2800FAE0DDCB193DE084806C346
                                                                                    Function 00007FFB4AEF07F2 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ;O_$<O_^
                                                                                    • API String ID: 0-3431308889
                                                                                    • Opcode ID: 6ecb338196e01d6849965e673e99ad99aeb8b20174d9ff6b567aa618c7283fe7
                                                                                    • Instruction ID: dd022c136f106780dde04d3cbbbe6638b1c39963314aa8473fa710a94b5c11b3
                                                                                    • Opcode Fuzzy Hash: 6ecb338196e01d6849965e673e99ad99aeb8b20174d9ff6b567aa618c7283fe7
                                                                                    • Instruction Fuzzy Hash: 2E5129B6A4A9459FE312FB78E4951E43BE1FF84214B5440FAD44CCB283DE3868468B61
                                                                                    Function 00007FFB4AEF11F2 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2O_^
                                                                                    • API String ID: 0-2974816419
                                                                                    • Opcode ID: 91cb90c347d6b6aabc92e0e7400492a7389cdc440b26985adae8f21d8cd137bb
                                                                                    • Instruction ID: e29c3962476b35dbb7c90433bafefed016c0f35091f2cd89a62f9a9d8c9cf6b1
                                                                                    • Opcode Fuzzy Hash: 91cb90c347d6b6aabc92e0e7400492a7389cdc440b26985adae8f21d8cd137bb
                                                                                    • Instruction Fuzzy Hash: 5C514866E0D9865FE712BBBCE4521ED7BF0EF85220B1841F7D188CA093DD19184A87A0
                                                                                    Function 00007FFB4AEF11F0 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2O_^
                                                                                    • API String ID: 0-2974816419
                                                                                    • Opcode ID: 377ca90bbaa0b6e167b76b6d31227fc4f59577f7e074a5d8150183184b66be57
                                                                                    • Instruction ID: 0c88d873b2d1d8d1b94bfaf9841f45335d08a9bf17eb32433ff7308ddb41da6a
                                                                                    • Opcode Fuzzy Hash: 377ca90bbaa0b6e167b76b6d31227fc4f59577f7e074a5d8150183184b66be57
                                                                                    • Instruction Fuzzy Hash: B5514962E0D9469FE712BBBCE4521ED7BF0EF85220F1941F7D18CDA193DC29184A87A0
                                                                                    Function 00007FFB4AEF12B8 Relevance: .5, Instructions: 486COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93e7275f871ad0cb3ebac7568c2707739656b9b018a0124ef57ea55aaaaa90e5
                                                                                    • Instruction ID: 4f47231214a3395dcb70314a4ee328a5bcc86c3bddee187997a2325a64881830
                                                                                    • Opcode Fuzzy Hash: 93e7275f871ad0cb3ebac7568c2707739656b9b018a0124ef57ea55aaaaa90e5
                                                                                    • Instruction Fuzzy Hash: BD3101A290CA8A5FE741FF78D8652EDBBF1FF85200F5501F6E149E3292CD2828068790
                                                                                    Function 00007FFB4AEF0AFB Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e516cff7f849452fca8f87d8fa99e138d9eb03a0e03d37841e00841f0940f718
                                                                                    • Instruction ID: e9bb1f84d1f80cfb5414bb8d8461d3209c69d9a591ec0aed62a82975d1cf71e9
                                                                                    • Opcode Fuzzy Hash: e516cff7f849452fca8f87d8fa99e138d9eb03a0e03d37841e00841f0940f718
                                                                                    • Instruction Fuzzy Hash: A3510776B0891A9FE712BF7CE4422EC73E4FF84321B5441BAD509C7183DE39644687A0
                                                                                    Function 00007FFB4AEF0B6F Relevance: .2, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 398f57a60c50c10fdcf10c3ce4c4a3b9bbb8274136152cd43e5886191453510a
                                                                                    • Instruction ID: 8c859f037e0208ed961e5a749c151b4c68f46e26ee671a5d0ada00deeb2747b6
                                                                                    • Opcode Fuzzy Hash: 398f57a60c50c10fdcf10c3ce4c4a3b9bbb8274136152cd43e5886191453510a
                                                                                    • Instruction Fuzzy Hash: C441E375B08D1A9FEB45FB78D4556E973E1FF88311F5045BAD009C7282DE38A8468BA0
                                                                                    Function 00007FFB4AEF0638 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fb433f3c93c303f331900a155766c3bae9f9a4c9beb74c2acd33895913592213
                                                                                    • Instruction ID: 4097c6194da264026bfa43e83d27bc5ae92b8f73195e56c3327843b4c8e184d0
                                                                                    • Opcode Fuzzy Hash: fb433f3c93c303f331900a155766c3bae9f9a4c9beb74c2acd33895913592213
                                                                                    • Instruction Fuzzy Hash: 0F31A061B1C9494FE798FB3CD85A279A6C6EFD8311F1405BEA44EC3293DE289C468345
                                                                                    Function 00007FFB4AEF0D48 Relevance: .1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b8d68e58eafb53d499670260245d172f236b5dff4da0002f7e1a97f011c6bfbe
                                                                                    • Instruction ID: 652f991fe418f774d8da9093360b848bd4edd3fb31496e5204b8b5d93068849e
                                                                                    • Opcode Fuzzy Hash: b8d68e58eafb53d499670260245d172f236b5dff4da0002f7e1a97f011c6bfbe
                                                                                    • Instruction Fuzzy Hash: 7B21A4A1B19D065FFB95BBBCD40A3BCA2D6EF9C701F20417AE50DC3292DD28AD024361
                                                                                    Function 00007FFB4AEF086D Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5de0629e8f078fb701c2372d67a33bf737689282abc436e6a3a45f61391f3550
                                                                                    • Instruction ID: 37be0f65fd27c54d967298b20dc4693691bfcdd24a41f839e52a75c8e3d5725c
                                                                                    • Opcode Fuzzy Hash: 5de0629e8f078fb701c2372d67a33bf737689282abc436e6a3a45f61391f3550
                                                                                    • Instruction Fuzzy Hash: 93219579A59D099FD755EB28C0956E97FE3FF88200F9444E9D808C33C7DE3869068B61
                                                                                    Function 00007FFB4AEF2291 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000010.00000002.2072518940.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_16_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b7eeec1d5e3b088cb9b05c3ea7c80b9e3874503eee0ac10dae808b9fa522fb31
                                                                                    • Instruction ID: fb73feea3490a8d396f6b5acd1c84c395b1842c2643e8f65ff609a049009bc49
                                                                                    • Opcode Fuzzy Hash: b7eeec1d5e3b088cb9b05c3ea7c80b9e3874503eee0ac10dae808b9fa522fb31
                                                                                    • Instruction Fuzzy Hash: 7701429594DB811EF392BE3C9C555317FE4EB91311B2800EBF888CA093DD0859448392

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AEF16E9 Relevance: .7, Instructions: 699COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a2e001d31d2641efce9516428a3b08a4b52b524b08db3d17dcf092246d57b82a
                                                                                    • Instruction ID: e367afc3c1095b08b0e42b730d2f2e9ce7e1c19d90134e65dc1b724f1d8c595b
                                                                                    • Opcode Fuzzy Hash: a2e001d31d2641efce9516428a3b08a4b52b524b08db3d17dcf092246d57b82a
                                                                                    • Instruction Fuzzy Hash: 1D22D5A0B6DA095FE799FB38C4557B9B6D6FF8C301F6445B9E40DC3282DE39A8018781
                                                                                    Function 00007FFB4AEF0E5E Relevance: .3, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2cbe739e44107c15079a569bfed88209a804a745b9688ef79933c9c32ad1bc49
                                                                                    • Instruction ID: 3a98e7db839e7c819101e4ca25ee4b1438d3444d1eede0837e3691ad1e3a8393
                                                                                    • Opcode Fuzzy Hash: 2cbe739e44107c15079a569bfed88209a804a745b9688ef79933c9c32ad1bc49
                                                                                    • Instruction Fuzzy Hash: 0E712952B0EA961EF353B67CE4161E92BD5DF8A23070881FBE4CDCA093DC19684783A1
                                                                                    Function 00007FFB4AEF20C1 Relevance: .2, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b80c19c01e4b08846b3c0642c9f7438f9d29ce14c12abfea7e5dec64c0c8b531
                                                                                    • Instruction ID: 295aa92975037acf690a0d7eeac409a3e6ba38c2107f82d16b567836cd2934bd
                                                                                    • Opcode Fuzzy Hash: b80c19c01e4b08846b3c0642c9f7438f9d29ce14c12abfea7e5dec64c0c8b531
                                                                                    • Instruction Fuzzy Hash: CF51249065E6C64FD797BB3888242B67FD5EF87215B2800FAE0DDCB193DE184806C346
                                                                                    Function 00007FFB4AEF07F2 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ;O_$<O_^
                                                                                    • API String ID: 0-3431308889
                                                                                    • Opcode ID: b23214c90553000a04e6cdb0a44a8d2d4a9b7238532c15703c9e87647865168d
                                                                                    • Instruction ID: f84fa1976c23346db9f0cd85a86b4f9d8f13ac0a1092aec61a342bc5db6754ab
                                                                                    • Opcode Fuzzy Hash: b23214c90553000a04e6cdb0a44a8d2d4a9b7238532c15703c9e87647865168d
                                                                                    • Instruction Fuzzy Hash: 645129B2A4A955DFE322FB78E0911E63BE1FF8821675440F6D44CCB383DD3868468B90
                                                                                    Function 00007FFB4AEF11F2 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2O_^
                                                                                    • API String ID: 0-2974816419
                                                                                    • Opcode ID: 603d2fa0c69c9c122eb5c28b4dd7d6b6e78e02b61f71a4af908ec7bbb3ee20db
                                                                                    • Instruction ID: 9ef4da1bfced26fe8615495f2a2f65d984f0d6d8e4da1e11a4cb439b3165c8ad
                                                                                    • Opcode Fuzzy Hash: 603d2fa0c69c9c122eb5c28b4dd7d6b6e78e02b61f71a4af908ec7bbb3ee20db
                                                                                    • Instruction Fuzzy Hash: 56514962E0D9865EE712BBBCE8521ED7FF0FF85224B1941F7D18CCA193DD15184A87A0
                                                                                    Function 00007FFB4AEF11F0 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2O_^
                                                                                    • API String ID: 0-2974816419
                                                                                    • Opcode ID: b2655888dd9ec2a774e47b6350073bb725b7577c90f7b97d47a7329a2589c1e4
                                                                                    • Instruction ID: 1e59bdd9d21cf9c87903f72a5f8a8844752c3936ae5113f4f7f1fe35296b8534
                                                                                    • Opcode Fuzzy Hash: b2655888dd9ec2a774e47b6350073bb725b7577c90f7b97d47a7329a2589c1e4
                                                                                    • Instruction Fuzzy Hash: 06515B62E0E9465EE712BB7CE4521ED7FF0EF85220F1941F7D18CDA193DC25184A87A0
                                                                                    Function 00007FFB4AEF12B8 Relevance: .5, Instructions: 486COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26d46870bcf56361224b5971003271472e3b56a1062539653801922a1d8c2861
                                                                                    • Instruction ID: c5542f183c202581f77b1eac20759ee3d22f35f975704619ca6a72db1bad1334
                                                                                    • Opcode Fuzzy Hash: 26d46870bcf56361224b5971003271472e3b56a1062539653801922a1d8c2861
                                                                                    • Instruction Fuzzy Hash: 4E31F2A290DA8A5FE741AF78D8651EEBFF1FF89200F5601F6D149E3292CD2418068790
                                                                                    Function 00007FFB4AEF0AFB Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bbe2a9aa45b0186f821c2759e5f069825c608a60a2e4d178fdbf390141535b58
                                                                                    • Instruction ID: ee840bfd5fb6f7b83fd30bef2f45ee8022c01209e014ca3d3bd11dd94106abf5
                                                                                    • Opcode Fuzzy Hash: bbe2a9aa45b0186f821c2759e5f069825c608a60a2e4d178fdbf390141535b58
                                                                                    • Instruction Fuzzy Hash: A3511776B0991A9FE712BF7CE4422ED73E4FF88321B5041BAD109C7283DD35644687A0
                                                                                    Function 00007FFB4AEF0B6F Relevance: .2, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e9240172cca8eb593c25f813cc7e9307c810b0abe08b6d4642ca42debae85f7
                                                                                    • Instruction ID: 35d066f306b6f15530b2bd5d5a0b7dbde1b6794d74974e8057d1d9bd8ea673d1
                                                                                    • Opcode Fuzzy Hash: 1e9240172cca8eb593c25f813cc7e9307c810b0abe08b6d4642ca42debae85f7
                                                                                    • Instruction Fuzzy Hash: AE410476B0991A9FEB41FF78D4516E973E1FFC8312B5045BAD008C7282DE35A846CB90
                                                                                    Function 00007FFB4AEF0638 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 00c752ffa4a31e3c56cb2d3fa687dc9debad1e1d7638eb898d6d4d310c4d7a04
                                                                                    • Instruction ID: 44c6a851b5a864c3b185370987e80342d2e2f8873c2bec7d215fe6fd545bfa46
                                                                                    • Opcode Fuzzy Hash: 00c752ffa4a31e3c56cb2d3fa687dc9debad1e1d7638eb898d6d4d310c4d7a04
                                                                                    • Instruction Fuzzy Hash: A531A0A1B1C9490FE798FB3CD85A279A6C6EFD8311F1405BEA44EC3293DE289C468345
                                                                                    Function 00007FFB4AEF0D48 Relevance: .1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b8d68e58eafb53d499670260245d172f236b5dff4da0002f7e1a97f011c6bfbe
                                                                                    • Instruction ID: 652f991fe418f774d8da9093360b848bd4edd3fb31496e5204b8b5d93068849e
                                                                                    • Opcode Fuzzy Hash: b8d68e58eafb53d499670260245d172f236b5dff4da0002f7e1a97f011c6bfbe
                                                                                    • Instruction Fuzzy Hash: 7B21A4A1B19D065FFB95BBBCD40A3BCA2D6EF9C701F20417AE50DC3292DD28AD024361
                                                                                    Function 00007FFB4AEF086D Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4607bc3b84e8c3a7681f28d889db9613f460f8f34fc0ff1ae10d9cece0bac549
                                                                                    • Instruction ID: ca35607a01cf00c5921e3307caed1a5148e98e134b525bdd4fb3f2cbcd394951
                                                                                    • Opcode Fuzzy Hash: 4607bc3b84e8c3a7681f28d889db9613f460f8f34fc0ff1ae10d9cece0bac549
                                                                                    • Instruction Fuzzy Hash: 782192B1659D49DFD766EB28C0916EB7FE2FF8C202B9544E5D808C3787CD3469028B90
                                                                                    Function 00007FFB4AEF2291 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2160448811.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffb4aef0000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2e810bf2cae95791d4461bc5ac738adb835c88e59e9c1ca1dcd0dae3c036fd9b
                                                                                    • Instruction ID: 6366c9e60d25dcbe32d7e76384e4569e3d57609190cfda0c17a31b8c5f07dae4
                                                                                    • Opcode Fuzzy Hash: 2e810bf2cae95791d4461bc5ac738adb835c88e59e9c1ca1dcd0dae3c036fd9b
                                                                                    • Instruction Fuzzy Hash: 0F01429194EB811EF392BE3C9C515727FE4EB95212B2800EBF888CA093DD0899408392

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AF016E9 Relevance: .7, Instructions: 702COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52d95d25e4076a27fccf7c6933c4e1efc49ff0bd63ed38de3fa8df2a6bc40361
                                                                                    • Instruction ID: ebbcec8079a069d24261d321313b915f80985ff9b68645973f4041020f0885e2
                                                                                    • Opcode Fuzzy Hash: 52d95d25e4076a27fccf7c6933c4e1efc49ff0bd63ed38de3fa8df2a6bc40361
                                                                                    • Instruction Fuzzy Hash: F922B5A0B2DA494FE799FF38C4597B9B6D6FF98700F5445B9E44DC32C2CE28A8418781
                                                                                    Function 00007FFB4AF00E5E Relevance: .3, Instructions: 283COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 95087e269490133bea73a888f3337fa4001b8d1ea4e7c3bdfda4209991da26f3
                                                                                    • Instruction ID: bbfe96ce9c9a681179f5fb7c480dca076f8c09f75c833d8d4b4f0a48cedceb8a
                                                                                    • Opcode Fuzzy Hash: 95087e269490133bea73a888f3337fa4001b8d1ea4e7c3bdfda4209991da26f3
                                                                                    • Instruction Fuzzy Hash: 21711952B0EA961EF363B77CE8161E92BD5DF8A22470880FBD4CDCA093DC1968478365
                                                                                    Function 00007FFB4AF020C1 Relevance: .2, Instructions: 207COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f789f5364095583c094dab860bca1d71b869de9ff1c57fe1db0f546a42f4e83b
                                                                                    • Instruction ID: fa1b62baa8efb13bcda88c49af1ead3c39066b7c47153ac77a49003857c7c694
                                                                                    • Opcode Fuzzy Hash: f789f5364095583c094dab860bca1d71b869de9ff1c57fe1db0f546a42f4e83b
                                                                                    • Instruction Fuzzy Hash: 22510090A1E6C64FD796ABB888642B5BFD9DF97215B1800FBE0CDCB1D3DD08480AC352
                                                                                    Function 00007FFB4AF007F2 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ;N_$<N_^
                                                                                    • API String ID: 0-579182416
                                                                                    • Opcode ID: aefeddd97a28a94ba1689f9accfa27786332b3bea74098d6485e33d2a812e847
                                                                                    • Instruction ID: c6b0812a7ebf4049ad8ee8e19f089b137c1ecfcced63177cf5a330fd629047da
                                                                                    • Opcode Fuzzy Hash: aefeddd97a28a94ba1689f9accfa27786332b3bea74098d6485e33d2a812e847
                                                                                    • Instruction Fuzzy Hash: 755126B2A0EA468FE326FB78E4951E93FE1FF8461475440F6D448C7293DD34A8428B90
                                                                                    Function 00007FFB4AF011F2 Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2N_^
                                                                                    • API String ID: 0-2962387604
                                                                                    • Opcode ID: 3e20f8ae77f6dde6fc5838f24e364a91d0c472052c7a83d98dbe4a1cf9839462
                                                                                    • Instruction ID: 3bf7329ed8c8fff039e9512770b159d3fcce2d4590574570bd4b2453880c5c3d
                                                                                    • Opcode Fuzzy Hash: 3e20f8ae77f6dde6fc5838f24e364a91d0c472052c7a83d98dbe4a1cf9839462
                                                                                    • Instruction Fuzzy Hash: 21512762E0D9569FE712BFBCE8621ED7FE0EF46224B0841F3D089DA1D3CD2518068790
                                                                                    Function 00007FFB4AF011F0 Relevance: 1.8, Strings: 1, Instructions: 579COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2N_^
                                                                                    • API String ID: 0-2962387604
                                                                                    • Opcode ID: 45706590141a69f891897e0b9832e071d0a23e1c2e0f069bb2a6e133f41f7c2a
                                                                                    • Instruction ID: 933b99f66a0aecc5a6e872a0376c5053d8b1daae7c828a2d576c0caa50404ae9
                                                                                    • Opcode Fuzzy Hash: 45706590141a69f891897e0b9832e071d0a23e1c2e0f069bb2a6e133f41f7c2a
                                                                                    • Instruction Fuzzy Hash: 7B511562E0E9569FE712BFBCE8621ED7FE4EF45224B0841F3D189DA1D3DD2918068790
                                                                                    Function 00007FFB4AF012B8 Relevance: .5, Instructions: 488COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: baf9434135b23254414f08694dcb9aa4d793db5db63497ec97f48419e581f965
                                                                                    • Instruction ID: 5b2163213ce5f9f6492cb687c3cc11550e5060da287bac01e0facc143fb1412b
                                                                                    • Opcode Fuzzy Hash: baf9434135b23254414f08694dcb9aa4d793db5db63497ec97f48419e581f965
                                                                                    • Instruction Fuzzy Hash: EC31AFA2E0DA8A4FE751AFB8C8651EDBFF1FF45210F4901F6D449E72D2CE2818068791
                                                                                    Function 00007FFB4AF00AFB Relevance: .2, Instructions: 209COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8892881c72e6c132064e8b01b02df2dd1f364f3582011fa211179625c013c1c6
                                                                                    • Instruction ID: b9b77f36d7f6ee6f147011915b9c21bbf447bd196cb5ee20597b8f5084c8bbb1
                                                                                    • Opcode Fuzzy Hash: 8892881c72e6c132064e8b01b02df2dd1f364f3582011fa211179625c013c1c6
                                                                                    • Instruction Fuzzy Hash: 3C51D8B2B0D91A8FE716BFBCE4512EC77E5EF88325B5441BAD409D71C2CD3564428B90
                                                                                    Function 00007FFB4AF00B6F Relevance: .2, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 412a6ef8f3ca1e89332a7681a986b01918a95a58ee629ea5f1c77072eb587453
                                                                                    • Instruction ID: d6e8019cf7f1a1fb04647196da57aa7df86c0af0166d93af08dec76143e60ae6
                                                                                    • Opcode Fuzzy Hash: 412a6ef8f3ca1e89332a7681a986b01918a95a58ee629ea5f1c77072eb587453
                                                                                    • Instruction Fuzzy Hash: C741F6B1B0891A8FEB45FFBCD8552E877E1FF88311B5041BAD409D7282CE35A4428790
                                                                                    Function 00007FFB4AF00638 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a9ae7b1bb61e85157a41a5ab3f1bb59de5294a8858571579010421c7fd09f87b
                                                                                    • Instruction ID: ab0d400c6d69fc35bb50cf12e738e8efc3e59602c7bedcd5492ab978a6a4f4b9
                                                                                    • Opcode Fuzzy Hash: a9ae7b1bb61e85157a41a5ab3f1bb59de5294a8858571579010421c7fd09f87b
                                                                                    • Instruction Fuzzy Hash: 6831D161B1C9490FE798EB7CD85A378A6C6EF98311F1401BEE44EC32D3DE289C468381
                                                                                    Function 00007FFB4AF00D48 Relevance: .1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cc7db950a0298dd642c083e032509ad2132bfb954dbcf1ae944175137f28984f
                                                                                    • Instruction ID: b88ba29987ad89e84610f767279df7d0a1ed6d823a868412bb7e5021ade7ac1e
                                                                                    • Opcode Fuzzy Hash: cc7db950a0298dd642c083e032509ad2132bfb954dbcf1ae944175137f28984f
                                                                                    • Instruction Fuzzy Hash: 5D218791B19D064FFB95BBBCD85A3BCA2D6EF9C711F10417AD80DC3282DD289C414751
                                                                                    Function 00007FFB4AF0086D Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c7bdfa7a9d4b0e5b804421687fbff04bff043522175b977634cb0a09320b9b1b
                                                                                    • Instruction ID: 05c91c0ee4308a05b277bfca9cdc16860e96732ec06e42468cacbe1cfbd3d490
                                                                                    • Opcode Fuzzy Hash: c7bdfa7a9d4b0e5b804421687fbff04bff043522175b977634cb0a09320b9b1b
                                                                                    • Instruction Fuzzy Hash: 332177B1659D4A8FD765EF28D0956F97FE2FF88A00B9444E5D809C339ACD34A902CB90
                                                                                    Function 00007FFB4AF02291 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2248496992.00007FFB4AF00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffb4af00000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4089238fe953e10a83474a8d6a3223f6ee16a3ef38490a23b68b6d075f3f60ed
                                                                                    • Instruction ID: 05d2fdfdf800cc33d4ef54995149f7781e7d3cf837280dd2e624691a2def62c1
                                                                                    • Opcode Fuzzy Hash: 4089238fe953e10a83474a8d6a3223f6ee16a3ef38490a23b68b6d075f3f60ed
                                                                                    • Instruction Fuzzy Hash: E701429590CB810FF792BFB899555317FE1CBD1211F1800EBE888DA0D7DC08A94483A2

                                                                                    Executed Functions

                                                                                    Function 00007FFB4AF116E9 Relevance: .7, Instructions: 702COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fe88bc5a1c0ddc2c6ea93ea5288b5d1e17dc4776685ba85d898a2ffc9329b1bc
                                                                                    • Instruction ID: b814285112279ca79bd02001e252b37e59433eb3c67e3e4bce83098273461225
                                                                                    • Opcode Fuzzy Hash: fe88bc5a1c0ddc2c6ea93ea5288b5d1e17dc4776685ba85d898a2ffc9329b1bc
                                                                                    • Instruction Fuzzy Hash: FF2292B0B2DA494BE795FB3CC4696B9BAD6EF88300F5445BDE44DC32C2DE28AC418741
                                                                                    Function 00007FFB4AF10E5E Relevance: .3, Instructions: 278COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d84db60f6bc854b131f75dc5643784419c76f6071ad4c2321c2ae4be6ebb9af0
                                                                                    • Instruction ID: e45b08cf73008db85ad12902d31cb3b32835259a9cfa40a816d3140abcf04210
                                                                                    • Opcode Fuzzy Hash: d84db60f6bc854b131f75dc5643784419c76f6071ad4c2321c2ae4be6ebb9af0
                                                                                    • Instruction Fuzzy Hash: A8712662B0EA961EE353B77CE4161F92FD5DF8622070881FBD8CDCA093DC19684787A5
                                                                                    Function 00007FFB4AF120C1 Relevance: .2, Instructions: 207COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c5b2725650f0f58b82b591102f8ffd2d14f7ffcae02124a874287c36c8e26112
                                                                                    • Instruction ID: a1a6d1ce8b46c9a9a18e25af07cfdfb32f3abf7bb6883d128cbfa442e842b969
                                                                                    • Opcode Fuzzy Hash: c5b2725650f0f58b82b591102f8ffd2d14f7ffcae02124a874287c36c8e26112
                                                                                    • Instruction Fuzzy Hash: F25100A0A5E6C94FD786ABB888642B57FD9DF87215B1801FEE0C9CB1D3DD084C0AC342
                                                                                    Function 00007FFB4AF107F2 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ;M_$<M_^
                                                                                    • API String ID: 0-3421805066
                                                                                    • Opcode ID: 56bde9012791515022327a9e8ee01a59e6898f88f379d103259b899dd92de5f5
                                                                                    • Instruction ID: 585fd378649005a9fc4d771360861b76f32248adb69c6842950a725a70fa6e50
                                                                                    • Opcode Fuzzy Hash: 56bde9012791515022327a9e8ee01a59e6898f88f379d103259b899dd92de5f5
                                                                                    • Instruction Fuzzy Hash: 4351FBB2A0EA558FE352FB7CE4521F43FE5FF8421575445FAD448CB282DD3868428B94
                                                                                    Function 00007FFB4AF111F2 Relevance: 1.8, Strings: 1, Instructions: 584COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2M_^
                                                                                    • API String ID: 0-3000290509
                                                                                    • Opcode ID: 015fde22bbf3c37283238cad2f82c7a0b0ed4bc876b5ead393d5b69e6909b1ee
                                                                                    • Instruction ID: 3fbabe5eb3cc3735ccf13da9869985e5f72b2df5fbfcd45e9c3b655558bb2966
                                                                                    • Opcode Fuzzy Hash: 015fde22bbf3c37283238cad2f82c7a0b0ed4bc876b5ead393d5b69e6909b1ee
                                                                                    • Instruction Fuzzy Hash: 2D510C62E0E99A5EE752BFBCD8520F97FF4EF46220B4842F7D489D60D3CD1518068790
                                                                                    Function 00007FFB4AF111F0 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2M_^
                                                                                    • API String ID: 0-3000290509
                                                                                    • Opcode ID: 82231bed22d19c6ad4289695254b03351bdf967d753f9ed856cddac68bdef17e
                                                                                    • Instruction ID: 131b110d051d47e0c599a61fbe708d8505d85e850e0915e12244daa832574f99
                                                                                    • Opcode Fuzzy Hash: 82231bed22d19c6ad4289695254b03351bdf967d753f9ed856cddac68bdef17e
                                                                                    • Instruction Fuzzy Hash: 17511D62E0E95A5EE752BFBCE8520F87FF4EF46220B4842F7D489DA0D3CD1918068790
                                                                                    Function 00007FFB4AF112B8 Relevance: .5, Instructions: 489COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 762919853d3392a1997b24aef05951deddd9857264174f210e7055af1776961d
                                                                                    • Instruction ID: 2ca4652681af7dbb6ed6961881821e93abe0326cf4499fdf330f79c28b24719a
                                                                                    • Opcode Fuzzy Hash: 762919853d3392a1997b24aef05951deddd9857264174f210e7055af1776961d
                                                                                    • Instruction Fuzzy Hash: 8A317EB291DA4E4FE791AFA8C8651FC7FB1EF45210F4502FAD449E71D2CD295C068750
                                                                                    Function 00007FFB4AF10AFA Relevance: .2, Instructions: 208COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2443274647948012b7ab9d6a292103ffe70d60b21b9d113a3fabb6a72746f72d
                                                                                    • Instruction ID: ec72857fce1ece17da35fbd73f775c07732f6c6f6d5d3c367424b929a96dd2df
                                                                                    • Opcode Fuzzy Hash: 2443274647948012b7ab9d6a292103ffe70d60b21b9d113a3fabb6a72746f72d
                                                                                    • Instruction Fuzzy Hash: 2D51C872B0992A8FEB51FFBCE4521FC77E5EF98325B5442BAD409C7282CD3568428790
                                                                                    Function 00007FFB4AF10B6F Relevance: .2, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60b27e574f07678355bbb58e49a26e9c969b183beac3689d0c172cd94de02bf3
                                                                                    • Instruction ID: 5ff66636aded05ad463323bbac625ff41720325e7537d1f607e8312485e7c4f1
                                                                                    • Opcode Fuzzy Hash: 60b27e574f07678355bbb58e49a26e9c969b183beac3689d0c172cd94de02bf3
                                                                                    • Instruction Fuzzy Hash: FB41A271A1991E8FEB45FFBCD8512F97BE1FF88311B5042BAD409C7282CE35A8468790
                                                                                    Function 00007FFB4AF10638 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 68109c174cd4fe26b9b648a8ef5315d957ccd97a5f65a06a1ceb9237fcfbd632
                                                                                    • Instruction ID: aade82c7488de6a2b3646fe3c6142ff74b7dbacb438d8759f3af36a4d42ff641
                                                                                    • Opcode Fuzzy Hash: 68109c174cd4fe26b9b648a8ef5315d957ccd97a5f65a06a1ceb9237fcfbd632
                                                                                    • Instruction Fuzzy Hash: 6B31D161B1D9490FE798EB7CD85A278A6C2EF98311F1405BEE44EC32D3DE289C068340
                                                                                    Function 00007FFB4AF10D48 Relevance: .1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 81010f720811b810704dd42af9b01207f51e8647dd89dac47f9ed56b6e4f11bb
                                                                                    • Instruction ID: 525a68bba1ac6456f85a3ec587e72d91aa82e5f01aaccadba0259a43e041219f
                                                                                    • Opcode Fuzzy Hash: 81010f720811b810704dd42af9b01207f51e8647dd89dac47f9ed56b6e4f11bb
                                                                                    • Instruction Fuzzy Hash: B62153A1B15D1A4BFB95BABCD85A3BCB2D6EF9C711F10417AE80DC3282DD289C014751
                                                                                    Function 00007FFB4AF1086D Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d488adea6344dd2bd9b240092ae6a43469aded8f176e3e6d08915c9f09dacd45
                                                                                    • Instruction ID: cb6cd96c84b327e717fb6d40735f9f043667b7ed8285e310c7b33d07c4b072f3
                                                                                    • Opcode Fuzzy Hash: d488adea6344dd2bd9b240092ae6a43469aded8f176e3e6d08915c9f09dacd45
                                                                                    • Instruction Fuzzy Hash: 3521867165DE498FD7D1EB2CD0A16F97FE2FF88201B9445EDD808C7386CE2859028B50
                                                                                    Function 00007FFB4AF12291 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2629863360.00007FFB4AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffb4af10000_XClient.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2f8fce0e0f8570ff50d3d72a8e5a8f9bb64597b4580999d2fffbead0683dbfd
                                                                                    • Instruction ID: fb1881a64d8eb94d1e6062e7c0f31db9ecfcf7878c4ef539f2e67360a749c524
                                                                                    • Opcode Fuzzy Hash: f2f8fce0e0f8570ff50d3d72a8e5a8f9bb64597b4580999d2fffbead0683dbfd
                                                                                    • Instruction Fuzzy Hash: EC012FA190CBC10FF392BEB898515797FE08B91211B2800FBE888CA0D3D8086D408392