Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OXhiMvksgM.exe

Overview

General Information

Sample name:OXhiMvksgM.exe
renamed because original name is a hash value
Original sample name:30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
Analysis ID:1557206
MD5:651429675c1d86cf068746159aa66b6d
SHA1:aad51d3448cb1e9f337a985ed840a0064d5699ee
SHA256:30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OXhiMvksgM.exe (PID: 2788 cmdline: "C:\Users\user\Desktop\OXhiMvksgM.exe" MD5: 651429675C1D86CF068746159AA66B6D)
    • X.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Local\Temp\X.exe" MD5: 2C76B88A912C741F1404B400C1ADD578)
      • powershell.exe (PID: 1836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WerFault.exe (PID: 6852 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • powershell.exe (PID: 5764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 6944 cmdline: C:\Windows\system32\WerFault.exe -u -p 7100 -s 2088 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • X.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Roaming\X.exe" MD5: 2C76B88A912C741F1404B400C1ADD578)
  • X.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Roaming\X.exe" MD5: 2C76B88A912C741F1404B400C1ADD578)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["activities-mustang.gl.at.ply.gg"], "Port": 54756, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\X.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\X.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd368:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xd405:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xd51a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xcb84:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Roaming\X.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\X.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd368:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xd405:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xd51a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xcb84:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x15678:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x15715:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1582a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x14e94:$cnc4: POST / HTTP/1.1
        00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd168:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xd205:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xd31a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc984:$cnc4: POST / HTTP/1.1
          Process Memory Space: OXhiMvksgM.exe PID: 2788JoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.OXhiMvksgM.exe.24d4310.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.OXhiMvksgM.exe.24d4310.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xb568:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xb605:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xb71a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xad84:$cnc4: POST / HTTP/1.1
              2.0.X.exe.6c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                2.0.X.exe.6c0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd368:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xd405:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xd51a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xcb84:$cnc4: POST / HTTP/1.1
                0.2.OXhiMvksgM.exe.24d4310.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\X.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\X.exe, ProcessId: 7100, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\X.exe, ProcessId: 7100, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\X.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\X.exe, ParentProcessId: 7100, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe', ProcessId: 1836, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-17T19:25:51.797648+010028559241Malware Command and Control Activity Detected192.168.2.649995147.185.221.2254756TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: OXhiMvksgM.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: activities-mustang.gl.at.ply.ggAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\X.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                  Source: C:\Users\user\AppData\Roaming\X.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                  Found malware configuration
                  Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["activities-mustang.gl.at.ply.gg"], "Port": 54756, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\X.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\AppData\Roaming\X.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: OXhiMvksgM.exeReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\X.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\X.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: OXhiMvksgM.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 2.0.X.exe.6c0000.0.unpackString decryptor: activities-mustang.gl.at.ply.gg
                  Source: 2.0.X.exe.6c0000.0.unpackString decryptor: 54756
                  Source: 2.0.X.exe.6c0000.0.unpackString decryptor: <123456789>
                  Source: 2.0.X.exe.6c0000.0.unpackString decryptor: <Xwormmm>
                  Source: 2.0.X.exe.6c0000.0.unpackString decryptor: USB.exe
                  Source: OXhiMvksgM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: OXhiMvksgM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49995 -> 147.185.221.22:54756
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: activities-mustang.gl.at.ply.gg
                  Source: global trafficTCP traffic: 192.168.2.6:49899 -> 147.185.221.22:54756
                  Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: activities-mustang.gl.at.ply.gg
                  Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: X.exe, 00000002.00000002.3289710637.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                  Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000B.00000002.2508262262.000002B277C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cou
                  Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeCode function: 0_2_00007FFD34890A210_2_00007FFD34890A21
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B8CE62_2_00007FFD348B8CE6
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B2E992_2_00007FFD348B2E99
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B9A922_2_00007FFD348B9A92
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B16592_2_00007FFD348B1659
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B2F432_2_00007FFD348B2F43
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B388D2_2_00007FFD348B388D
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B449F2_2_00007FFD348B449F
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B1E1D2_2_00007FFD348B1E1D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3488B9FA3_2_00007FFD3488B9FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34888E2C3_2_00007FFD34888E2C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3488BAFB3_2_00007FFD3488BAFB
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3488BC4A3_2_00007FFD3488BC4A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348827853_2_00007FFD34882785
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348C34FD6_2_00007FFD348C34FD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348C35FA6_2_00007FFD348C35FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348C5BF26_2_00007FFD348C5BF2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD3489850311_2_00007FFD34898503
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD34898E0511_2_00007FFD34898E05
                  Source: C:\Users\user\AppData\Roaming\X.exeCode function: 14_2_00007FFD348A165914_2_00007FFD348A1659
                  Source: C:\Users\user\AppData\Roaming\X.exeCode function: 14_2_00007FFD348A1E1D14_2_00007FFD348A1E1D
                  Source: C:\Users\user\AppData\Roaming\X.exeCode function: 15_2_00007FFD3488165915_2_00007FFD34881659
                  Source: C:\Users\user\AppData\Roaming\X.exeCode function: 15_2_00007FFD34881E1D15_2_00007FFD34881E1D
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100
                  Source: OXhiMvksgM.exe, 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameX.exe4 vs OXhiMvksgM.exe
                  Source: OXhiMvksgM.exeBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs OXhiMvksgM.exe
                  Source: OXhiMvksgM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: OXhiMvksgM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: OXhiMvksgM.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9908987576844263
                  Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.csBase64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
                  Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csBase64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
                  Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csBase64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.csBase64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csBase64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csBase64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
                  Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.csBase64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
                  Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csBase64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
                  Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csBase64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: WER635D.tmp.dmp.18.drBinary string: |\Device\Harddis
                  Source: WER635D.tmp.dmp.18.drBinary string: |\Device\Harddis00330-7177086-AAOEMddiskVolume3C:\Windows\system32C:11904
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@16/24@1/1
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OXhiMvksgM.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeMutant created: \Sessions\1\BaseNamedObjects\X7Sbr9oc27SibDBmH
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6852:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\X.exeMutant created: \Sessions\1\BaseNamedObjects\I76LbgASVOnu6K26
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeFile created: C:\Users\user\AppData\Local\Temp\X.exeJump to behavior
                  Source: OXhiMvksgM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: OXhiMvksgM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: OXhiMvksgM.exeReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Users\user\Desktop\OXhiMvksgM.exe "C:\Users\user\Desktop\OXhiMvksgM.exe"
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 2088
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: X.lnk.2.drLNK file: ..\..\..\..\..\X.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: OXhiMvksgM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: OXhiMvksgM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeCode function: 0_2_00007FFD348900BD pushad ; iretd 0_2_00007FFD348900C1
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B1133 push ebx; ret 2_2_00007FFD348B118A
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B00BD pushad ; iretd 2_2_00007FFD348B00C1
                  Source: C:\Users\user\AppData\Local\Temp\X.exeCode function: 2_2_00007FFD348B11BA push ebx; ret 2_2_00007FFD348B118A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3476D2A5 pushad ; iretd 3_2_00007FFD3476D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34952316 push 8B485F95h; iretd 3_2_00007FFD3495231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347AD2A5 pushad ; iretd 6_2_00007FFD347AD2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348CC2C5 push ebx; iretd 6_2_00007FFD348CC2DA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34992316 push 8B485F91h; iretd 6_2_00007FFD3499231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD3477D2A5 pushad ; iretd 11_2_00007FFD3477D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD34962316 push 8B485F94h; iretd 11_2_00007FFD3496231B
                  Source: C:\Users\user\AppData\Roaming\X.exeCode function: 14_2_00007FFD348A00BD pushad ; iretd 14_2_00007FFD348A00C1
                  Source: OXhiMvksgM.exeStatic PE information: section name: .text entropy: 7.829056816610667
                  Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.csHigh entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
                  Source: X.exe.0.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.csHigh entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
                  Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.csHigh entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
                  Source: X.exe.0.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.csHigh entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
                  Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csHigh entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
                  Source: X.exe.0.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.csHigh entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
                  Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csHigh entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
                  Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csHigh entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
                  Source: X.exe.0.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.csHigh entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.csHigh entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.csHigh entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.csHigh entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.csHigh entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csHigh entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.csHigh entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csHigh entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csHigh entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
                  Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.csHigh entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
                  Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.csHigh entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
                  Source: X.exe.2.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.csHigh entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
                  Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.csHigh entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
                  Source: X.exe.2.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.csHigh entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
                  Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.csHigh entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
                  Source: X.exe.2.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.csHigh entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
                  Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.csHigh entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
                  Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.csHigh entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
                  Source: X.exe.2.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.csHigh entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeFile created: C:\Users\user\AppData\Local\Temp\X.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile created: C:\Users\user\AppData\Roaming\X.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeMemory allocated: A30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeMemory allocated: 1A4B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeMemory allocated: 1A9C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: B40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: 1A690000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: 800000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: 1A400000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWindow / User API: threadDelayed 2386Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWindow / User API: threadDelayed 7446Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5278Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4521Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7108Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2410Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8453Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1139Jump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exe TID: 3852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exe TID: 6280Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4620Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep count: 7108 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep count: 2410 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep count: 8453 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep count: 1139 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\X.exe TID: 2612Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.18.drBinary or memory string: VMware
                  Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.18.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                  Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.18.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.18.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeProcess created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'Jump to behavior
                  Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                  Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeQueries volume information: C:\Users\user\Desktop\OXhiMvksgM.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\X.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\X.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\X.exeQueries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\X.exeQueries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation
                  Source: C:\Users\user\Desktop\OXhiMvksgM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: X.exe, 00000002.00000002.3286114138.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3286114138.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		21
                  Registry Run Keys / Startup Folder                  		12
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping131
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		11
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		41
                  Virtualization/Sandbox Evasion                  		Security Account Manager41
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items23
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557206 Sample: OXhiMvksgM.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 46 activities-mustang.gl.at.ply.gg 2->46 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 10 OXhiMvksgM.exe 4 2->10         started        13 X.exe 2->13         started        16 X.exe 2->16         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\Temp\X.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\...\OXhiMvksgM.exe.log, CSV 10->44 dropped 18 X.exe 1 6 10->18         started        68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 signatures6 process7 dnsIp8 48 activities-mustang.gl.at.ply.gg 147.185.221.22, 49899, 49960, 49987 SALSGIVERUS United States 18->48 40 C:\Users\user\AppData\Roaming\X.exe, PE32 18->40 dropped 58 Antivirus detection for dropped file 18->58 60 Multi AV Scanner detection for dropped file 18->60 62 Protects its processes via BreakOnTermination flag 18->62 64 3 other signatures 18->64 23 powershell.exe 23 18->23         started        26 powershell.exe 23 18->26         started        28 powershell.exe 23 18->28         started        30 WerFault.exe 18->30         started        file9 signatures10 process11 signatures12 66 Loading BitLocker PowerShell Module 23->66 32 conhost.exe 23->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        process13 process14 38 WerFault.exe 32->38         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OXhiMvksgM.exe68%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                  OXhiMvksgM.exe100%AviraTR/Dropper.Gen
                  OXhiMvksgM.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\X.exe100%AviraHEUR/AGEN.1305769
                  C:\Users\user\AppData\Roaming\X.exe100%AviraHEUR/AGEN.1305769
                  C:\Users\user\AppData\Local\Temp\X.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\X.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\X.exe74%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  C:\Users\user\AppData\Roaming\X.exe74%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  activities-mustang.gl.at.ply.gg100%Avira URL Cloudmalware
                  http://www.microsoft.cou0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  activities-mustang.gl.at.ply.gg
                  		147.185.221.22
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    activities-mustang.gl.at.ply.ggtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.micpowershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.microsoft.coupowershell.exe, 0000000B.00000002.2508262262.000002B277C50000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://upx.sf.netAmcache.hve.18.drfalse
                                          		high
                                          http://crl.micft.cMicRosofpowershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore68powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX.exe, 00000002.00000002.3289710637.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  147.185.221.22
                                                  		activities-mustang.gl.at.ply.ggUnited States
                                                  		12087SALSGIVERUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1557206
                                                  Start date and time:2024-11-17 19:23:06 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 19s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:19
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Critical Process Termination
                                                  Sample name:OXhiMvksgM.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@16/24@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 14.3%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 55
                                                  • Number of non-executed functions: 5
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target OXhiMvksgM.exe, PID 2788 because it is empty
                                                  • Execution Graph export aborted for target X.exe, PID 5952 because it is empty
                                                  • Execution Graph export aborted for target X.exe, PID 5972 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 1836 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 5764 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 5960 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                  • VT rate limit hit for: OXhiMvksgM.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  13:24:04API Interceptor43x Sleep call for process: powershell.exe modified
                                                  13:24:39API Interceptor776211x Sleep call for process: X.exe modified
                                                  19:24:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run X C:\Users\user\AppData\Roaming\X.exe
                                                  19:24:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run X C:\Users\user\AppData\Roaming\X.exe
                                                  19:24:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  147.185.221.227bZWBYVNPU.exeGet hashmaliciousXWormBrowse
                                                    BWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                      fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                        gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                                          dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                            432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                              l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                                                Windows Defender.exeGet hashmaliciousXWormBrowse
                                                                  e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                                    SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      SALSGIVERUS9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                      • 147.185.221.23
                                                                      eternal.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      svchost.exeGet hashmaliciousUnknownBrowse
                                                                      • 147.185.221.23
                                                                      msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      exe030.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      xtrSvgqQEW.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X.exe_2883bebedfe0a947abfaed60a9497f85b63fa3ab_10868351_ec699ee9-e9a8-460e-8bd9-cd651ef3aa8e\Report.wer

                                                                      Download File
                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):1.3324689695960934
                                                                      Encrypted:false
                                                                      SSDEEP:192:w41Ic/Kn3081iHxaWj8iyXLSleGzuiFqZ24lO8/4U:wfc/KnE81iRa48io83zuiFqY4lO8/D
                                                                      MD5:F26E795552BAE8CC1CA5F149A72AC022
                                                                      SHA1:3D7BFC69BFF90C4BEB361EE8A13126F087AC0F7D
                                                                      SHA-256:98B503380FEDD9F583DB5B149BA724CCD6DA6FDC13DFB67D6FF986FEB1B202D5
                                                                      SHA-512:4C4E15426259311B8CD50675D14311E70B7F457B9421884BF6383CD96C610857D635028963C9287BCBC82B07FE3FA7490CCC3F1C29493CDB81D049EEE5245575
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.3.4.1.5.5.2.3.1.0.5.5.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.6.9.9.e.e.9.-.e.9.a.8.-.4.6.0.e.-.8.b.d.9.-.c.d.6.5.1.e.f.3.a.a.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.b.b.f.1.b.c.-.2.f.a.2.-.4.b.5.a.-.b.2.c.1.-.e.f.8.b.d.e.3.2.e.4.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.5.-.3.1.d.6.-.0.a.d.f.1.d.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.1.9.5.f.c.3.8.8.a.f.4.3.5.9.5.d.8.0.1.5.b.1.2.d.e.1.5.5.e.8.0.0.0.0.0.0.0.0.0.!.0.0.0.0.1.3.d.1.b.6.d.3.4.1.d.5.9.a.e.f.6.8.3.3.a.4.1.2.3.e.2.2.4.8.4.d.d.b.6.6.5.1.8.3.!.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.1.6.:.2.0.:.2.6.:.3.8.!.0.!.X...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER635D.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 16 streams, Sun Nov 17 18:25:52 2024, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):513992
                                                                      Entropy (8bit):2.9388314543621927
                                                                      Encrypted:false
                                                                      SSDEEP:6144:c4Q5onLCtFYZZ5+5yRNITs0gr4qTR3Qan6E/MdsH/a+V1sjY:/BsK4qJQaJCsfd
                                                                      MD5:1B424847E4F744929A9DB566ECBBBEF6
                                                                      SHA1:636ED899E90F19EDDA353AF12B0B40E6CB0104E6
                                                                      SHA-256:8F589308B97A8392E396816B6FF8768DB802ECA518D39B83E8CD5D74487D6D91
                                                                      SHA-512:7067BDAB9AC220F23B07F2E455CFBF9D541AEAC35C438ABEC2764284D6BF3F1D0BFB88728A819F7F2C03ACFF088A858B4B613E3BE66FF4B9B086BA43E2C020BA
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:MDMP..a..... .......05:g............d............%..........l....0......4....0.......4..............l.......8...........T............Q.............. >...........@..............................................................................eJ.......@......Lw......................T............4:g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6504.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):7244
                                                                      Entropy (8bit):3.7219121092480023
                                                                      Encrypted:false
                                                                      SSDEEP:192:R6l7wVeJvnPYk4jf4t8Sypre89bJptLPfzfZxjm:R6lXJfPYk64tlIJzLPfzfy
                                                                      MD5:CC760EF0A225EC0B41B12F4A4D77C597
                                                                      SHA1:B4E0FCB10D0CB26A38E1661EE4523E3246C70EEF
                                                                      SHA-256:BFC1FBD758A397B428BA0D71950A2683440FE8448415752B55ABB7173BBAE41A
                                                                      SHA-512:59E9E28B758B8D8DA7B410193DE732E3333AD02CAB8D038BDEB1F2EA212B4120491861D742D24D03D86FC2ABBD893D34FFD84E869D74C2F5F14FB0CD65785655
                                                                      Malicious:false
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6543.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4874
                                                                      Entropy (8bit):4.449083444368803
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zs6Jg771I9+ZWpW8VYEYm8M4JHSFK4yq8vRtQzV2nd:uIjfII7do7VkJd4WEx2nd
                                                                      MD5:4A3963020399D1D319F1B15B3368414C
                                                                      SHA1:75A5A0C9A289493DC39A18C379354A36911512AF
                                                                      SHA-256:F34DA58A0BDD6A9BCFF0473E3A58BD7A2551E9E85B5B05D987F6AE803B92257F
                                                                      SHA-512:D5287A9CEC34426D0CDF07D6A6AEC95BE82CC636DF6EF3BB172E89C44F563F53CB301BB95A4BC64C28E8F92CFCB0FC4E069CA92A6A7851C976F8E74C16589155
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="592408" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OXhiMvksgM.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\OXhiMvksgM.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):654
                                                                      Entropy (8bit):5.380476433908377
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                      Malicious:true
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\X.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):654
                                                                      Entropy (8bit):5.380476433908377
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\Semo.exe.lnk

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\OXhiMvksgM.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Oct 18 19:21:12 2024, mtime=Sat Nov 16 19:25:29 2024, atime=Sun Nov 10 22:05:12 2024, length=968192, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):1785
                                                                      Entropy (8bit):4.131835857452379
                                                                      Encrypted:false
                                                                      SSDEEP:24:8+6Umy0LmSlAm9aGuXMWR5XXnDfJRLR5Xs2KDR5XymC:8amy0LSmIbXMW/XXnDxd/XRi/Xy9
                                                                      MD5:87454103F3D64B8A7167915FB7743A20
                                                                      SHA1:07249045C09C432FEA3DBAC21FBBFEBE7C76620F
                                                                      SHA-256:119A6BBEC9B7221CC7687FA12DD2CD0D8FF91A17F073EF1EF649FF346B40BC84
                                                                      SHA-512:37F3E032C946ECDBE8397071D644CBFBE657DC914EC7E58CAD59BE8301B8480AF57AEFD8C50C240645974B713AEE0C00A9953DB83382A1B8C1FA0B61B6BD293D
                                                                      Malicious:false
                                                                      Preview:L..................F.... ....jLF.!...V.e8..r|...3............................f.1...........Beta Exploit..J............................................B.e.t.a. .E.x.p.l.o.i.t.....\.1...........Semo Beta.D............................................S.e.m.o. .B.e.t.a.....\.1...........Semo Beta.D............................................S.e.m.o. .B.e.t.a.....J.1...........bin.8............................................b.i.n.....P.1.....pY....Debug.<.......Y..pY.......*......................k.D.e.b.u.g.....Z.2.....jY.. .Semo.exe..B......RY..pY+.....\.........................S.e.m.o...e.x.e.......................-....................V.L.....C:\Users\VIP.DESKTOP-BGH9R29\Desktop\Beta Exploit\Semo Beta\Semo Beta\bin\Debug\Semo.exe..5...\.B.e.t.a. .E.x.p.l.o.i.t.\.S.e.m.o. .B.e.t.a.\.S.e.m.o. .B.e.t.a.\.b.i.n.\.D.e.b.u.g.\.S.e.m.o...e.x.e.O.C.:.\.U.s.e.r.s.\.V.I.P...D.E.S.K.T.O.P.-.B.G.H.9.R.2.9.\.D.e.s.k.t.o.p.\.B.e.t.a. .E.x.p.l.o.i.t.\.S.e.m.o. .B.e.t.a.\.S.e.m.o. .B.e.t.a.\.b.i.n

                                                                      C:\Users\user\AppData\Local\Temp\X.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\OXhiMvksgM.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):62464
                                                                      Entropy (8bit):6.070303950933256
                                                                      Encrypted:false
                                                                      SSDEEP:1536:ZaAy0XwmWhpdnIrSJPoMzbr31MJOFW76xSOsPgLY:gAy0XuhvIrS9lzbr3OovSOs6Y
                                                                      MD5:2C76B88A912C741F1404B400C1ADD578
                                                                      SHA1:13D1B6D341D59AEF6833A4123E22484DDB665183
                                                                      SHA-256:5178365164F71D22459D807A5BA61E8D50DD15A4ADB4A00B08248C6F141F8074
                                                                      SHA-512:B8F8AE619F7CDF323C4F98E63BEA5C3059886792B0C5A41DF96A243811BF78DF2FEC45BF4B459E07C8C564EE2875852AC47EB3C3AD34CF70C8BA27C547163EBE
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\X.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\X.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 74%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g................................. ... ....@.. .......................`............@.................................|...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........]..........&.....................................................(....*.r...p*. ....*..(....*.r+..p*. j...*.s.........s.........s.........s.........*.rU..p*. ..y.*.r...p*. A.*.*.r...p*. ...*.r...p*. .x!.*.r...p*. ....*..((...*.r...p*. S...*.r...p*. .(T.*&(....&+.*.+5sP... .... .'..oQ...(*...~....-.(@...(6...~....oR...&.-.*.r...p*.r...p*. ....*.r...p*. -.2.*.rI..p*. ..e.*.rs..p*. ...*"(A...+.*:.t....(=...+.*.r...p*.r...p*. .#..*.r=..p*. .O..*.rg..p*.r...p*. ^...*.r.

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00fd4eos.t33.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10v1h1h1.vja.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mqi5pi0.hdf.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yanlcpp.fn2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwx5cq5u.kd5.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gapu0315.y0y.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmrsoecl.u1a.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxybqzn5.3nd.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogcykjou.cua.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skhan0r1.1qo.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdvefrgy.iwg.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4tdsawi.k3i.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\X.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 17:24:38 2024, mtime=Sun Nov 17 17:24:39 2024, atime=Sun Nov 17 17:24:39 2024, length=62464, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):731
                                                                      Entropy (8bit):5.046761228413869
                                                                      Encrypted:false
                                                                      SSDEEP:12:8tRbzw4iBpnu8ChWrlXIsY//sW88L/8w5jAQ+HVnz43q7mV:87btoDVrlXUD8O/z9AQEz5m
                                                                      MD5:3A247E5328AAB2E3737414204029E0BF
                                                                      SHA1:E48F93A994EF2F77C4A4DD05151ECC0DF73F4426
                                                                      SHA-256:E2F923401E843AC9E266CBFB20D797F89D96F5239BECFB0A1479A5440308F4F4
                                                                      SHA-512:C9BF62DCA12B228FFF9589939C49429188C33C77A8B4C288D532E9ACBD45828A8757758FF88EFF87F31B54CAA989BC02788596805019EC489159D9F8E4227F0E
                                                                      Malicious:false
                                                                      Preview:L..................F.... ...)|7..9..au...9..au...9..........................d.:..DG..Yr?.D..U..k0.&...&.......$..S........9.......9......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2qY.............................^.A.p.p.D.a.t.a...B.V.1.....qY....Roaming.@......EW<2qY....../.......................%.R.o.a.m.i.n.g.....P.2.....qY.. .X.exe.<......qY..qY.............................nF.X...e.x.e.......V...............-.......U.............T|.....C:\Users\user\AppData\Roaming\X.exe........\.....\.....\.....\.....\.X...e.x.e.`.......X.......610930...........hT..CrF.f4... .G".*.....-...-$..hT..CrF.f4... .G".*.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                      C:\Users\user\AppData\Roaming\X.exe

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\X.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):62464
                                                                      Entropy (8bit):6.070303950933256
                                                                      Encrypted:false
                                                                      SSDEEP:1536:ZaAy0XwmWhpdnIrSJPoMzbr31MJOFW76xSOsPgLY:gAy0XuhvIrS9lzbr3OovSOs6Y
                                                                      MD5:2C76B88A912C741F1404B400C1ADD578
                                                                      SHA1:13D1B6D341D59AEF6833A4123E22484DDB665183
                                                                      SHA-256:5178365164F71D22459D807A5BA61E8D50DD15A4ADB4A00B08248C6F141F8074
                                                                      SHA-512:B8F8AE619F7CDF323C4F98E63BEA5C3059886792B0C5A41DF96A243811BF78DF2FEC45BF4B459E07C8C564EE2875852AC47EB3C3AD34CF70C8BA27C547163EBE
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 74%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g................................. ... ....@.. .......................`............@.................................|...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........]..........&.....................................................(....*.r...p*. ....*..(....*.r+..p*. j...*.s.........s.........s.........s.........*.rU..p*. ..y.*.r...p*. A.*.*.r...p*. ...*.r...p*. .x!.*.r...p*. ....*..((...*.r...p*. S...*.r...p*. .(T.*&(....&+.*.+5sP... .... .'..oQ...(*...~....-.(@...(6...~....oR...&.-.*.r...p*.r...p*. ....*.r...p*. -.2.*.rI..p*. ..e.*.rs..p*. ...*"(A...+.*:.t....(=...+.*.r...p*.r...p*. .#..*.r=..p*. .O..*.rg..p*.r...p*. ^...*.r.

                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                      Download File
                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                      Category:dropped
                                                                      Size (bytes):1835008
                                                                      Entropy (8bit):4.4685575024292525
                                                                      Encrypted:false
                                                                      SSDEEP:6144:2zZfpi6ceLPx9skLmb0fiZWSP3aJG8nAgeiJRMMhA2zX4WABluuN+jDH5S:YZHtiZWOKnMM6bFpMj4
                                                                      MD5:11984E7E8E4CCF670650A00815F258EC
                                                                      SHA1:7AAE2C73823D93921EBB0804C33CFDFC3C01FD7E
                                                                      SHA-256:E8D059F40C27FFA13ECB5C4046B441FF725D8CA4AE60961DCA1FD7587D16161F
                                                                      SHA-512:8F1A8331DEE58870CE05DBC90E56AA844771CB5876FB73717576F5D6E96C39F8566C26F27B23E4C67A13BC36AEEE61E7F52B4EAA0F58F0B12AC5A24E138BF34A
                                                                      Malicious:false
                                                                      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"N#".9................................................................................................................................................................................................................................................................................................................................................5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.937745349161464
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:OXhiMvksgM.exe
                                                                      File size:172'032 bytes
                                                                      MD5:651429675c1d86cf068746159aa66b6d
                                                                      SHA1:aad51d3448cb1e9f337a985ed840a0064d5699ee
                                                                      SHA256:30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
                                                                      SHA512:397e2a05e8f3d45c04953998a09d76212b38e3dc9073be814cb3010ea94b00733d2557a6e5002b0a2401fb33d62908e794553a6afd31e45b0afe6987806272fb
                                                                      SSDEEP:3072:gwe+6Rkd+MisaP1JmK6Hw9hEgXEp1NDLfgAiKgD7fYtB2SOEQW40/mmo0ioi:glbRFLsaPfmK6HwXDXsFglf7gya4tm
                                                                      TLSH:07F30225B5E243BBCB250B7AA0547970DBF8D206D993AB1E718094439FB367802E17B8
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.9g............................^.... ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:0e70f8f8e2e07162

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x40d35e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x67390126 [Sat Nov 16 20:31:34 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd3040x57.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x1e60c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xb3640xb4008f96a987368ebca5b76183e7084fb69bFalse0.9250868055555556data7.829056816610667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xe0000x1e60c0x1e800fb25f700eecd3a1b85575a2b2a1126e4False0.9908987576844263data7.972955483073308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x2e0000xc0x200c32c49a3e3b69f16e3d1001a75270169False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xe1300x1e07ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0001300749556932
                                                                      RT_GROUP_ICON0x2c1b00x14Targa image data - Map 65536 x 57470 x 10.9
                                                                      RT_VERSION0x2c1c40x25cdata0.4652317880794702
                                                                      RT_MANIFEST0x2c4200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-17T19:25:51.797648+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649995147.185.221.2254756TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 17, 2024 19:24:40.278414965 CET4989954756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:40.283226013 CET5475649899147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:40.283292055 CET4989954756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:40.439021111 CET4989954756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:40.444031954 CET5475649899147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:48.764446020 CET5475649899147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:48.766483068 CET4989954756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:50.641515970 CET4989954756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:50.643949986 CET4996054756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:50.646910906 CET5475649899147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:50.648880959 CET5475649960147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:50.648956060 CET4996054756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:50.658989906 CET4996054756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:24:50.663934946 CET5475649960147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:59.130621910 CET5475649960147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:24:59.130683899 CET4996054756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:00.179682970 CET4996054756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:00.184855938 CET5475649960147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:00.189979076 CET4998754756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:00.195072889 CET5475649987147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:00.195225954 CET4998754756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:00.208877087 CET4998754756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:00.214025021 CET5475649987147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:08.682990074 CET5475649987147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:08.683166981 CET4998754756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:09.609760046 CET4998754756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:09.611013889 CET4998854756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:09.615101099 CET5475649987147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:09.616328001 CET5475649988147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:09.616461992 CET4998854756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:09.626779079 CET4998854756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:09.631889105 CET5475649988147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:18.113080978 CET5475649988147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:18.113167048 CET4998854756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:19.687875032 CET4998854756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:19.689610004 CET4999154756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:19.693166018 CET5475649988147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:19.694628000 CET5475649991147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:19.694722891 CET4999154756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:19.706197977 CET4999154756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:19.711220980 CET5475649991147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:28.173572063 CET5475649991147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:28.173717976 CET4999154756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:29.203557968 CET4999154756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:29.204796076 CET4999254756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:29.208949089 CET5475649991147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:29.209943056 CET5475649992147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:29.210036993 CET4999254756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:29.220182896 CET4999254756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:29.225167036 CET5475649992147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:37.685781956 CET5475649992147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:37.685986996 CET4999254756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:37.687714100 CET4999254756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:37.688927889 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:37.692567110 CET5475649992147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:37.693802118 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:37.693878889 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:37.703752995 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:37.708656073 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:42.847923040 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:42.852966070 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:44.687958956 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:44.759182930 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:46.182178020 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:46.182356119 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:48.672141075 CET4999354756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:48.677170038 CET5475649993147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:48.677198887 CET4999554756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:48.682234049 CET5475649995147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:48.683505058 CET4999554756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:48.839363098 CET4999554756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:48.845174074 CET5475649995147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:51.797647953 CET4999554756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:51.803189993 CET5475649995147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:57.165898085 CET5475649995147.185.221.22192.168.2.6
                                                                      Nov 17, 2024 19:25:57.167399883 CET4999554756192.168.2.6147.185.221.22
                                                                      Nov 17, 2024 19:25:57.934715986 CET4999554756192.168.2.6147.185.221.22

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 17, 2024 19:24:40.262684107 CET5561453192.168.2.61.1.1.1
                                                                      Nov 17, 2024 19:24:40.275399923 CET53556141.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 17, 2024 19:24:40.262684107 CET192.168.2.61.1.1.10x9035Standard query (0)activities-mustang.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 17, 2024 19:24:40.275399923 CET1.1.1.1192.168.2.60x9035No error (0)activities-mustang.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:13:23:56
                                                                      Start date:17/11/2024
                                                                      Path:C:\Users\user\Desktop\OXhiMvksgM.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\OXhiMvksgM.exe"
                                                                      Imagebase:0x1d0000
                                                                      File size:172'032 bytes
                                                                      MD5 hash:651429675C1D86CF068746159AA66B6D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:13:23:59
                                                                      Start date:17/11/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\X.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\X.exe"
                                                                      Imagebase:0x6c0000
                                                                      File size:62'464 bytes
                                                                      MD5 hash:2C76B88A912C741F1404B400C1ADD578
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\X.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\X.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 74%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:13:24:02
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
                                                                      Imagebase:0x7ff6e3d50000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:13:24:03
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:13:24:09
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
                                                                      Imagebase:0x7ff6e3d50000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:13:24:09
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:13:24:21
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
                                                                      Imagebase:0x7ff6e3d50000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:13:24:21
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:13:24:50
                                                                      Start date:17/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\X.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Roaming\X.exe"
                                                                      Imagebase:0x400000
                                                                      File size:62'464 bytes
                                                                      MD5 hash:2C76B88A912C741F1404B400C1ADD578
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 74%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:13:24:58
                                                                      Start date:17/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\X.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Roaming\X.exe"
                                                                      Imagebase:0xc0000
                                                                      File size:62'464 bytes
                                                                      MD5 hash:2C76B88A912C741F1404B400C1ADD578
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:13:25:52
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\WerFault.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100
                                                                      Imagebase:0x7ff720080000
                                                                      File size:570'736 bytes
                                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:13:25:52
                                                                      Start date:17/11/2024
                                                                      Path:C:\Windows\System32\WerFault.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7100 -s 2088
                                                                      Imagebase:0x7ff720080000
                                                                      File size:570'736 bytes
                                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FFD34890A21 Relevance: .4, Instructions: 422COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0c152a418cf9b01ae289ef4593626e399c1140b80f229d470a9afe19f3112c4
                                                                        • Instruction ID: ec6cdcb0603e7e2c6715f746f47f431adc3997fe3dc346b422933c2a880e4391
                                                                        • Opcode Fuzzy Hash: b0c152a418cf9b01ae289ef4593626e399c1140b80f229d470a9afe19f3112c4
                                                                        • Instruction Fuzzy Hash: 59D19130B189198FEB98EB68C4A4ABD77E2FF56311B500639E51EC32D2CF39AC519740
                                                                        Function 00007FFD348912D3 Relevance: 2.1, Strings: 1, Instructions: 839COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: _`]
                                                                        • API String ID: 0-2558284136
                                                                        • Opcode ID: b145672f0db5aa458aeeb4c6fd40c6fc255e35f0a88d4a50601f385f1913cd35
                                                                        • Instruction ID: 99f1420d255194340b19de9ac03004450fec6ec49e99fcc47a258af7bd1a6608
                                                                        • Opcode Fuzzy Hash: b145672f0db5aa458aeeb4c6fd40c6fc255e35f0a88d4a50601f385f1913cd35
                                                                        • Instruction Fuzzy Hash: 57C1E361B1CE454FF7999B6C48A93A96FD2FF9A310F4801BAD44DC32D3DE28AC059341
                                                                        Function 00007FFD348905A7 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 3CO_^
                                                                        • API String ID: 0-3937211734
                                                                        • Opcode ID: 1987cc576c411cbed941dbea522f989c652f4fd1ee6b83ff0d7d27cb918186e6
                                                                        • Instruction ID: b5ace302f08d4eb1cc5a809a5c9c184032cd0505ebdfb368905a3bd52acf196d
                                                                        • Opcode Fuzzy Hash: 1987cc576c411cbed941dbea522f989c652f4fd1ee6b83ff0d7d27cb918186e6
                                                                        • Instruction Fuzzy Hash: C5F08920F0D5810AFBA673B444B63B92F509F43318F4400BDD54DEB5C3DD6E6445A392
                                                                        Function 00007FFD34890888 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 3CO_^
                                                                        • API String ID: 0-3937211734
                                                                        • Opcode ID: 1c0930aa0b52d1874d57e95fabf49990acff5052f13e5842eef3f40d5be9c551
                                                                        • Instruction ID: 0b721d76dd57abdf2be9dfab73d311de49f7e47f65d90f85a32951be4a1fcc7c
                                                                        • Opcode Fuzzy Hash: 1c0930aa0b52d1874d57e95fabf49990acff5052f13e5842eef3f40d5be9c551
                                                                        • Instruction Fuzzy Hash: 4EF08220F0E58206FBA977B444B63B92E409F83318F4800B9D54DEB6C3DE7EA441A292
                                                                        Function 00007FFD348904A8 Relevance: .3, Instructions: 333COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a200ef0e399107d7f65c52a27d460b1e100fd86adb4b0744c9cc7a7e31e51749
                                                                        • Instruction ID: 1f4721f5de6bcce1b7c54a6a5ee3dc28f4579b014521647cf067ee3ec1930bea
                                                                        • Opcode Fuzzy Hash: a200ef0e399107d7f65c52a27d460b1e100fd86adb4b0744c9cc7a7e31e51749
                                                                        • Instruction Fuzzy Hash: 40A1B261B1CE494FF798EB6C84A93A97AD2FF99310F4841B9E40DD32D2DE38AC419351
                                                                        Function 00007FFD3489109E Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a126b960c0a0ea47c940b1028857c8990a0e84291796d6dd8bbf92fadef8b383
                                                                        • Instruction ID: 22959b9c38adafe5aa7eaa2d04c9381c43f72681f15694285ac061d1ee3139b9
                                                                        • Opcode Fuzzy Hash: a126b960c0a0ea47c940b1028857c8990a0e84291796d6dd8bbf92fadef8b383
                                                                        • Instruction Fuzzy Hash: 39E09B02F0CD090BF7A4A6AC74E53B857C2D7DD621B40017AD10DC3386EC1D5C835341
                                                                        Function 00007FFD348909B1 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5917c9647f962fad12ec5208fd18bfb14977f221b4ed965792f19d3781c63772
                                                                        • Instruction ID: 2b1e4f9968dafb4470d3b11967670c55296fd2e4732c01300fe30057b671447b
                                                                        • Opcode Fuzzy Hash: 5917c9647f962fad12ec5208fd18bfb14977f221b4ed965792f19d3781c63772
                                                                        • Instruction Fuzzy Hash: E5F0EC42E0CA950FF395672404BA1692FD0DF97250F48017BE98DCA1E3DD1DA5819341
                                                                        Function 00007FFD348909E9 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2171895684.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34890000_OXhiMvksgM.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 82d7864891d272d93126c5f86f761b3ebaf82a858d4dba17be7e33b30a30ebbd
                                                                        • Instruction ID: 7b9b488301f6c133f95c6a2f00bfabc1c193becbc938871fb5cce7a1e6155770
                                                                        • Opcode Fuzzy Hash: 82d7864891d272d93126c5f86f761b3ebaf82a858d4dba17be7e33b30a30ebbd
                                                                        • Instruction Fuzzy Hash: 7DD0C22171C9250BABC4F61CA8A1C79B7C5EBC4360B480525F80CD3289CD28EA8183C1

                                                                        Execution Graph

                                                                        Execution Coverage:18.8%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:3
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 3391 7ffd348b11dd 3392 7ffd348b11e7 RtlSetProcessIsCritical 3391->3392 3394 7ffd348b2bb2 3392->3394

                                                                        Executed Functions

                                                                        Function 00007FFD348B11DD Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 368 7ffd348b11dd-7ffd348b1214 375 7ffd348b1216-7ffd348b1236 368->375 376 7ffd348b125a-7ffd348b2b4a 368->376 375->376 381 7ffd348b2b52-7ffd348b2bb0 RtlSetProcessIsCritical 376->381 382 7ffd348b2bb8-7ffd348b2bed 381->382 383 7ffd348b2bb2 381->383 383->382
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3322850502.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd348b0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 616120f15a3a6b921041c930bc8cb34ba65af46a2c5a555d9b35619dfc823ed7
                                                                        • Instruction ID: 6cf319d6142a2dfa75b37ff7b941e4fd2de6b3ae596b590ad4347d88e1f024a7
                                                                        • Opcode Fuzzy Hash: 616120f15a3a6b921041c930bc8cb34ba65af46a2c5a555d9b35619dfc823ed7
                                                                        • Instruction Fuzzy Hash: A1411771A0C6858FEB19DBA888A56E97FE0EF66310F08016FD09AD3193DE686445C791
                                                                        Function 00007FFD348B2ACD Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 385 7ffd348b2acd-7ffd348b2bb0 RtlSetProcessIsCritical 389 7ffd348b2bb8-7ffd348b2bed 385->389 390 7ffd348b2bb2 385->390 390->389
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3322850502.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd348b0000_X.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalProcess
                                                                        • String ID:
                                                                        • API String ID: 2695349919-0
                                                                        • Opcode ID: 4106542b95ffed68bece7a3a3f951a24fac739e0edf1d5b307366e125d0109b9
                                                                        • Instruction ID: 0ca601c55c3e9799e3542d0f95dee0b90640019b050635d8eab61145790d950b
                                                                        • Opcode Fuzzy Hash: 4106542b95ffed68bece7a3a3f951a24fac739e0edf1d5b307366e125d0109b9
                                                                        • Instruction Fuzzy Hash: AD41163190C7588FC729DF98C859AE9BBF0FF56310F04416ED08AC3592CB786846CB91

                                                                        Executed Functions

                                                                        Function 00007FFD3488A0D3 Relevance: .3, Instructions: 254COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241381099.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34880000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 933fc9d8dc20f8b82359a4dd0102561ac5c800c45c0f743b808a3fe81deefde3
                                                                        • Instruction ID: 62e8b0a232c54b5e0233ef7eeb7c3c31290390400aa9bdaa2b83f2334329aa5f
                                                                        • Opcode Fuzzy Hash: 933fc9d8dc20f8b82359a4dd0102561ac5c800c45c0f743b808a3fe81deefde3
                                                                        • Instruction Fuzzy Hash: 2811517650EBC58FDB539B2888661A47FB0EE6321170901EBD589CF0E3DA194C49D753
                                                                        Function 00007FFD34954073 Relevance: .2, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241822247.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34950000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 83a910e310a5a75bf6b431f33082e74845bf856dc85e4ad88233c2da88bf56dc
                                                                        • Instruction ID: 57dae2c628d20e80471c9beea857168a0d096b5504c1b9252ee85042a6f51b4d
                                                                        • Opcode Fuzzy Hash: 83a910e310a5a75bf6b431f33082e74845bf856dc85e4ad88233c2da88bf56dc
                                                                        • Instruction Fuzzy Hash: A4512932B0DA968FEBD9D62D54B167477D2EFA6210B2800FEC24DC7197DD29EC058351
                                                                        Function 00007FFD34954370 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241822247.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34950000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c546c410910516c832e67963a2cc66cf3bad795a02bd163411af626e86385c6
                                                                        • Instruction ID: 3b5472ab92b9f049e1ad080e152aaa6a578dfbeb01db6e50d6fe2bd82bf7ea57
                                                                        • Opcode Fuzzy Hash: 0c546c410910516c832e67963a2cc66cf3bad795a02bd163411af626e86385c6
                                                                        • Instruction Fuzzy Hash: CF412832B0DA858FEBE9DB6C54A16B477D1EF46224B1800FED14DC71A7D928BC148391
                                                                        Function 00007FFD3476E620 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2240826411.00007FFD3476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3476D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd3476d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b3dbdbf5fe2ae24913185fa83792a37cc0f5cf6bbb76f46a22fa10fbb6d530d6
                                                                        • Instruction ID: dc1d3614b8e725da2cafc8996ae513a4e2c9e19aa87d6e481fda061d62ccbb2f
                                                                        • Opcode Fuzzy Hash: b3dbdbf5fe2ae24913185fa83792a37cc0f5cf6bbb76f46a22fa10fbb6d530d6
                                                                        • Instruction Fuzzy Hash: 0C41257140DBC48FE7569B2898959523FF0EF53320B1905EFD088CB1A3D629B846C7E2
                                                                        Function 00007FFD3488978F Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241381099.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34880000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ffa47db7208c9fcdbf70dce9a68f15acbd869e45254655cf3fd4331f6a76dc3
                                                                        • Instruction ID: 0aae2cee36dc877ca652ac65f969900c9e362c0c56e52a8d7f9644f073700431
                                                                        • Opcode Fuzzy Hash: 6ffa47db7208c9fcdbf70dce9a68f15acbd869e45254655cf3fd4331f6a76dc3
                                                                        • Instruction Fuzzy Hash: DD31823091CB4C9FDB58DB5CA84A6A97BE0FB99721F00422FE449D3251DB71A855CBC2
                                                                        Function 00007FFD3488A62C Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241381099.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34880000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a532bd3596de032856d6d8e60496646cdc1a682a6ab48bfa563507b563e022d
                                                                        • Instruction ID: 44fd37342e50be1796aad8132b65751676ea4033b48d74e6c0fba64485bcbb10
                                                                        • Opcode Fuzzy Hash: 2a532bd3596de032856d6d8e60496646cdc1a682a6ab48bfa563507b563e022d
                                                                        • Instruction Fuzzy Hash: BA21F63190CB4C4FDB59DFAC988A7F97BF0EB96321F04416BD448C3156DA74A41ACB92
                                                                        Function 00007FFD349540BF Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241822247.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34950000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 054f4e1a8eff80249aed9516b067d6ae08d8f69ad6a50aa2c12440197cfbc513
                                                                        • Instruction ID: d67f5969ea9d8b7abae88aaefd9cf840905452132797c847c627ca54ab1e8d7c
                                                                        • Opcode Fuzzy Hash: 054f4e1a8eff80249aed9516b067d6ae08d8f69ad6a50aa2c12440197cfbc513
                                                                        • Instruction Fuzzy Hash: 1921D732B0DA968FE7E9EB1D44B063466D2EF66214B6900FED14DC71ABCD2CEC059351
                                                                        Function 00007FFD349543BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241822247.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34950000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c2c725594793b8d251a03914d37e6460d78ae43cf607ccbabee3b41f9c7a1971
                                                                        • Instruction ID: ef3a1cfe10d17bf92cff86b45a4019e01d51ff398c1298c52117984da83f91a0
                                                                        • Opcode Fuzzy Hash: c2c725594793b8d251a03914d37e6460d78ae43cf607ccbabee3b41f9c7a1971
                                                                        • Instruction Fuzzy Hash: 6011E332A0E5858FE7E4DB1954B467877E1EF0221476800FED55DC70AAC92DBC149361
                                                                        Function 00007FFD3495681E Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241822247.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34950000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4877d95faa2fc3b121f47a4ec4c4d57c6ab9428af0af044be6f3c822900639e5
                                                                        • Instruction ID: 626a5d52bf0bab02f70df3392c55ef761242e248d51df257264868a3122b5d82
                                                                        • Opcode Fuzzy Hash: 4877d95faa2fc3b121f47a4ec4c4d57c6ab9428af0af044be6f3c822900639e5
                                                                        • Instruction Fuzzy Hash: 6E110672F0D6884FEB55DB5854E41A87BD1EF56314B2840FEC64CC7097DE29AC45C320
                                                                        Function 00007FFD348833B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241381099.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34880000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction ID: 5fffc6dc26c3eb99b3910d994459d48da0474aba520a49b72d272c666e07c8f2
                                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction Fuzzy Hash: B501677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

                                                                        Non-executed Functions

                                                                        Function 00007FFD34888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.2241381099.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd34880000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: O_^4$O_^7$O_^F$O_^J
                                                                        • API String ID: 0-875994666
                                                                        • Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                        • Instruction ID: c9a0fcbba5cac8c5ae4cf8ce97827e6c8d021f2f9316440eccd08d4bc6f04011
                                                                        • Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                        • Instruction Fuzzy Hash: A32104BB718026AED2117BFDB8245DA3754CFD433634912B2D19E9F243E934708A8A90

                                                                        Executed Functions

                                                                        Function 00007FFD348C6435 Relevance: .7, Instructions: 714COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 39eb19abddac7030ed1006a92eb14abc683d901a313b9f3adc8067217cece4a5
                                                                        • Instruction ID: 93cfba2efc6c37011aa30c1f70d1ae35386771acbb83013f6134e5557483ed60
                                                                        • Opcode Fuzzy Hash: 39eb19abddac7030ed1006a92eb14abc683d901a313b9f3adc8067217cece4a5
                                                                        • Instruction Fuzzy Hash: 8BD17030A08A4D8FDF95DF58D4A5AA9B7F1FF69300F14417AD409E7296CA38EC85CB81
                                                                        Function 00007FFD348C9750 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: db9883bb508d6b3def28b3edbb1d2f106a3e9d8b7e8f8472599dde2bd3b0d870
                                                                        • Instruction ID: 55f9b0139846b2671194305a1b6c67b578160d520c2ff19b7ec281c5bfc26e5b
                                                                        • Opcode Fuzzy Hash: db9883bb508d6b3def28b3edbb1d2f106a3e9d8b7e8f8472599dde2bd3b0d870
                                                                        • Instruction Fuzzy Hash: 2451FA72A0EAC95FE7159F1C5C562A8BFE0EF56310F0441BFD199C7193DA28A8068BD2
                                                                        Function 00007FFD34994073 Relevance: .2, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354915741.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd34990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 880c5d3ec43a726e86ead77148e48160bcc3c945c8e4afe8e7fb793af6b85390
                                                                        • Instruction ID: 8170627c2a3bf8894d2de11bb0cbb543f22f0b0d46c801419e1ffe00723b6942
                                                                        • Opcode Fuzzy Hash: 880c5d3ec43a726e86ead77148e48160bcc3c945c8e4afe8e7fb793af6b85390
                                                                        • Instruction Fuzzy Hash: A3512B32B0DA968FEBAADB1C54B157577D2EFA6210B1800BFC24DC719BDE29EC058351
                                                                        Function 00007FFD34994370 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354915741.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd34990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 79ad17d0291e67dca0610144b8c256dfdb74ffd7dea1af9a56bd83367ad31279
                                                                        • Instruction ID: 724436238615c61b19995f6c5452e510055089e76589f92baddcc5df48c7202f
                                                                        • Opcode Fuzzy Hash: 79ad17d0291e67dca0610144b8c256dfdb74ffd7dea1af9a56bd83367ad31279
                                                                        • Instruction Fuzzy Hash: 9241F632B0DA858FEBAAD76C54B15B477D1EF46324B0801FED54DC7197E919BC0483A1
                                                                        Function 00007FFD347AEF00 Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2353423113.00007FFD347AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347AD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd347ad000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18d795c3ebbd2e1e5d8a82feadd8aaaeb374ed01a4054f54fd4b5cc7b785f9fc
                                                                        • Instruction ID: 3073a31b268530a6c1667460168fef5f5d50a727ecc650b41ccd9f73e6d15de0
                                                                        • Opcode Fuzzy Hash: 18d795c3ebbd2e1e5d8a82feadd8aaaeb374ed01a4054f54fd4b5cc7b785f9fc
                                                                        • Instruction Fuzzy Hash: AA410B7181EBC48FE7968B2998A59523FF0EF57320B1901DFD088CB1A3D629B845C7D2
                                                                        Function 00007FFD349940BF Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354915741.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd34990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 219e939ddfb68f2382bc46ffb9c0e7526e2fe02aa2c240d3264b09dbd26825c6
                                                                        • Instruction ID: 18593fa0bc65ee33851e6ac75b60ab8db3011dc339649bfbc0dbba337c21583a
                                                                        • Opcode Fuzzy Hash: 219e939ddfb68f2382bc46ffb9c0e7526e2fe02aa2c240d3264b09dbd26825c6
                                                                        • Instruction Fuzzy Hash: 2B21D522B0DA969FE7B6DB1C44F057467D2EF66210B4900BED64DC71ABDE2CEC049351
                                                                        Function 00007FFD348CA636 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a305b0855009ab93a6c1296888cd2f3dd4bb7741e27c9ec8ade207d1884fc183
                                                                        • Instruction ID: 45467626bc60f55b64af72c69c58861b65a0b0585981ef66eb846c25bc7e3ea8
                                                                        • Opcode Fuzzy Hash: a305b0855009ab93a6c1296888cd2f3dd4bb7741e27c9ec8ade207d1884fc183
                                                                        • Instruction Fuzzy Hash: 0F21E53190CB4C8FDB58DFAC984A7EA7BF0EB96321F04416FD448C7152D674A41ACB91
                                                                        Function 00007FFD349943BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354915741.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd34990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f6e68621650cc22fcab80cb8fdc09742a225652d1207ff703c33307e29c997d
                                                                        • Instruction ID: a592edc469d5cbfad95f3e800dbc9b61a87bd6b795379d29daad3484c8549fc4
                                                                        • Opcode Fuzzy Hash: 6f6e68621650cc22fcab80cb8fdc09742a225652d1207ff703c33307e29c997d
                                                                        • Instruction Fuzzy Hash: DB11E032A0E5858FE7A6DB2884B55B87BD1EF0622474800FED55DCB19BDA1DBC049361
                                                                        Function 00007FFD3499681E Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354915741.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd34990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8fdffdeb73061e833bc5c298e77b9bb92da8f5bb918b0ad90ca026cfed79d553
                                                                        • Instruction ID: 84cada7eef8b1f9dd577be0d2bf90437262eec93e82a293543974cc801d762be
                                                                        • Opcode Fuzzy Hash: 8fdffdeb73061e833bc5c298e77b9bb92da8f5bb918b0ad90ca026cfed79d553
                                                                        • Instruction Fuzzy Hash: 6411E372B0D6884FEB55DA5990E45A87B91EF5A210B0440BEC54CC7097DA29AC45C320
                                                                        Function 00007FFD348C33B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                        • Instruction ID: bd047773c0eba2039cb01fe63577d77a598f3d7d22b04674929b2521223c22b2
                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                        • Instruction Fuzzy Hash: 8401677121CB0D4FD744EF4CE491AA6B7E0FB99364F10056EE58AC3651DA36E882CB45

                                                                        Non-executed Functions

                                                                        Function 00007FFD348C8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                        • API String ID: 0-2350917820
                                                                        • Opcode ID: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                                                        • Instruction ID: 3befbb867b30bde3dac9ca2e05dcef36ef7f3eacb583151e1d11943beb4ec722
                                                                        • Opcode Fuzzy Hash: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                                                        • Instruction Fuzzy Hash: DE210473B085156BCA1236FCB8A15D977A4DB5437834912F3E018EF013E938B48B8680
                                                                        Function 00007FFD348C89F2 Relevance: 7.6, Strings: 6, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2354135081.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: K_^$K_^$K_^$K_^$K_^$K_^
                                                                        • API String ID: 0-2891007843
                                                                        • Opcode ID: 51899d49f7866a20d91234e35ac47eac4363013a3658f32f5e5786d2b9cc729d
                                                                        • Instruction ID: e1c2e42eb859b12fe6dce358208df803d964b7156f00c33286735b38732b8b21
                                                                        • Opcode Fuzzy Hash: 51899d49f7866a20d91234e35ac47eac4363013a3658f32f5e5786d2b9cc729d
                                                                        • Instruction Fuzzy Hash: FE4153A3F4D6C21BF6A6432819F6095ABD0EF6335AB0905F7C298CA093ED1D5C436217

                                                                        Executed Functions

                                                                        Function 00007FFD3489644D Relevance: .7, Instructions: 707COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2d64f1e2318e4a679313b1ed38844097b2692f5a9bfe5dd18b729018ef9b5f97
                                                                        • Instruction ID: 469dd1610623d55de20e2c97b090520eb55472bbade319efa11ea0041850aa7d
                                                                        • Opcode Fuzzy Hash: 2d64f1e2318e4a679313b1ed38844097b2692f5a9bfe5dd18b729018ef9b5f97
                                                                        • Instruction Fuzzy Hash: 26D17031A18A4D8FDF95DF5CC4A5AE97BE1FF69300F14416AD40DE72A6CA34E881CB81
                                                                        Function 00007FFD34899F52 Relevance: .2, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 532a44ed81435b351b36455405f35dfcac3e4388862e72aa15f35a34ef881331
                                                                        • Instruction ID: 6b5b3a2758deb84793a45d8a22bd56306ca0ab799a676ccc83d6d0f6d4f60d30
                                                                        • Opcode Fuzzy Hash: 532a44ed81435b351b36455405f35dfcac3e4388862e72aa15f35a34ef881331
                                                                        • Instruction Fuzzy Hash: 55512E67A08EC55BD712A77C9CB60E97FE0EF13329B0901B6C698CB053ED2C24569786
                                                                        Function 00007FFD34964073 Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2516435377.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b25911a95d18d4e117342b7780e2d441ef458c5f4f081361e03b7fa2371ed0cb
                                                                        • Instruction ID: 7b3266a5e0371b1f8405691f3bcee3be424292d3497107f0e0269c5fe9744a03
                                                                        • Opcode Fuzzy Hash: b25911a95d18d4e117342b7780e2d441ef458c5f4f081361e03b7fa2371ed0cb
                                                                        • Instruction Fuzzy Hash: 4F514622B0CA568FEBA9DA9C54B15B477D2EFA6230B1900BFC24DC7197DE2CEC018755
                                                                        Function 00007FFD34899768 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c6c519701e90ec8980b74d112578fdf56a16eed10a148234aa0e00b48a9842ba
                                                                        • Instruction ID: c49426cc34a3230bca1b86d07126591b21d32acd8101c65e74a7a6044ac9dc85
                                                                        • Opcode Fuzzy Hash: c6c519701e90ec8980b74d112578fdf56a16eed10a148234aa0e00b48a9842ba
                                                                        • Instruction Fuzzy Hash: 3931A57191CF489FDB589F5CA8466A97BE0FB99310F00422FE449D3351DB74A8568BC2
                                                                        Function 00007FFD3489A47C Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 936e6af6203c4933bf03ac22c2757c492f92679a07c5f6f919c951c4318521a4
                                                                        • Instruction ID: d817b5bed3aca4205ce7cb934a3af39acf6b2aa796c37093728c166f0c9a8b75
                                                                        • Opcode Fuzzy Hash: 936e6af6203c4933bf03ac22c2757c492f92679a07c5f6f919c951c4318521a4
                                                                        • Instruction Fuzzy Hash: 90210A3190CB4C4FDB59DFAC988A7E97FF0EB96321F04416BD448C3152DA74A41ACB91
                                                                        Function 00007FFD349640BF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2516435377.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a155dded5c1953f9e45e7680a71bb9bf4c2fffe94d24e1abbbf95ec9186aee6
                                                                        • Instruction ID: d60c1ca47a0c6d638187cc412f7c787c086e8ab82c9db66a6ffe03bf7697840d
                                                                        • Opcode Fuzzy Hash: 2a155dded5c1953f9e45e7680a71bb9bf4c2fffe94d24e1abbbf95ec9186aee6
                                                                        • Instruction Fuzzy Hash: 4821F522B0DA568FEBA59B5C44B057022D2EF66230B5A00BED14DC71ABCD2CEC009B59
                                                                        Function 00007FFD3496681E Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2516435377.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a05b7a00fc2021c5696182fc72d81821fc379f4df11dcfbdbb86aa69ffac685b
                                                                        • Instruction ID: 0de7bee3e9bacdfffbef96bdcb6dcabfe16ab017922f029d77c6db9690b12ca3
                                                                        • Opcode Fuzzy Hash: a05b7a00fc2021c5696182fc72d81821fc379f4df11dcfbdbb86aa69ffac685b
                                                                        • Instruction Fuzzy Hash: 1B11E372B0DA888FEB95DAA890E41A87B91EF56220B0440BEC54CD7097DA2DAC45C360
                                                                        Function 00007FFD3477EA2A Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2514151740.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd3477d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b049a3ecab9630fb6c3eb50ce543ead7b9d67b5b55109a70c42013ce08dd46f6
                                                                        • Instruction ID: 0a015c87567f620b8e19aa8ee25427a94a549baf7400099c15b4ca23e1c87685
                                                                        • Opcode Fuzzy Hash: b049a3ecab9630fb6c3eb50ce543ead7b9d67b5b55109a70c42013ce08dd46f6
                                                                        • Instruction Fuzzy Hash: FA01DF3261CE08CF9A68EA2DE4858A577E0FB8432075045AED109CB266DA25F886CB81
                                                                        Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                                                        Function 00007FFD3477EA3F Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2514151740.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd3477d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                                        • Instruction ID: 780fa0c22f6d824f800790f7ff22c112e1c941ca4a92a3f7cc5f9c315e0c032e
                                                                        • Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                                        • Instruction Fuzzy Hash: 10F0B774618E08DF8AA4EF2DC885D2237E1FB983107514658E45EC7265D774F891CB80
                                                                        Function 00007FFD349643FA Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2516435377.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d7afb83de6b361d80640256080cda8b83706013d254acbb1456af9e78ef8bfc
                                                                        • Instruction ID: bf5f24cc5dcef5d1f8c164673e8a4a3e2e4eab5d18fc9a10aaac3319019ec86e
                                                                        • Opcode Fuzzy Hash: 1d7afb83de6b361d80640256080cda8b83706013d254acbb1456af9e78ef8bfc
                                                                        • Instruction Fuzzy Hash: 69F09A32A4D5458FDB55AB98A0A14E877E0FF06334B5500BAE64DCB0A7DA2AAC44CB60

                                                                        Non-executed Functions

                                                                        Function 00007FFD34898995 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^$N_^$N_^$N_^
                                                                        • API String ID: 0-3900292545
                                                                        • Opcode ID: e067771f54dbcb80a559655a2238ca6cc0edb9fd7785de2171c142057c50c8d8
                                                                        • Instruction ID: 3fdbbbb0abdb01076c8f42bea55b05d097a0a22f836e936ef54c45a0e0cc4a05
                                                                        • Opcode Fuzzy Hash: e067771f54dbcb80a559655a2238ca6cc0edb9fd7785de2171c142057c50c8d8
                                                                        • Instruction Fuzzy Hash: 3D4160A3A1EAC21FE75743684CB60D97FE0EF13364B0E05F6C295CB093E95D6846A253
                                                                        Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2515218973.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^4$N_^7$N_^F$N_^J
                                                                        • API String ID: 0-3508309026
                                                                        • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                        • Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
                                                                        • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                        • Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

                                                                        Executed Functions

                                                                        Function 00007FFD348A1659 Relevance: .6, Instructions: 628COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 28866dfdd9cc52ec9923b39b3d6d8301c1fed6bf9cfbdf5d05a70179fa6d7b61
                                                                        • Instruction ID: c150d7880c157b791e768c0b6355bb6fd65f8057ab1e576007a0e79df4bc3942
                                                                        • Opcode Fuzzy Hash: 28866dfdd9cc52ec9923b39b3d6d8301c1fed6bf9cfbdf5d05a70179fa6d7b61
                                                                        • Instruction Fuzzy Hash: 9812EF30B19A094FEBA8EB6C84B937977D6FF99300F44057DE44EC32D2DE68A8418791
                                                                        Function 00007FFD348A1E1D Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa52964a66ddd0b7fbd95c7a1136fa4ca702e6b9747afc56eda98cdea0c50865
                                                                        • Instruction ID: 6214462835139751e4f1f5d11a7a34ec8304ac580fe81dd27620323964c411d4
                                                                        • Opcode Fuzzy Hash: fa52964a66ddd0b7fbd95c7a1136fa4ca702e6b9747afc56eda98cdea0c50865
                                                                        • Instruction Fuzzy Hash: FD510024B1E6C50FE796ABB848B42B67FD5DF87215B0800FBE089C71E3DD585806C352
                                                                        Function 00007FFD348A0BCE Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 70d8b7e8b3bc3a3cc91e85513456ecbc8e73ebf92073e6e455e21f43c1b20be8
                                                                        • Instruction ID: 029ace16f863b2ef47279e48d16a14bbb6f2743f5c1ee1d34a2cd028b1674341
                                                                        • Opcode Fuzzy Hash: 70d8b7e8b3bc3a3cc91e85513456ecbc8e73ebf92073e6e455e21f43c1b20be8
                                                                        • Instruction Fuzzy Hash: CE513721B0EA860FE7A6A77848652B97BE5EF87220B0901FBD48DC7193DC5D6C428361
                                                                        Function 00007FFD348A0540 Relevance: .1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0a65d8893353833f0b497a78212da57231972870079e03bce4ce10d4bd734745
                                                                        • Instruction ID: c691704a25f46119d78ce48b1e18c508df5e36a82befb830f42b03eafc4b45ce
                                                                        • Opcode Fuzzy Hash: 0a65d8893353833f0b497a78212da57231972870079e03bce4ce10d4bd734745
                                                                        • Instruction Fuzzy Hash: 8631B521B1D9490FE798EB6C94AA379B6C6EFD9355F4405BEE00EC32D3DD68AC418340
                                                                        Function 00007FFD348A0A69 Relevance: .1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 494e65f1fec2b5b82a36ba5c8e54ba9972cf8e700a0e8dcc2af32822d3655c3e
                                                                        • Instruction ID: 6905741ebf9930a3d1663e0be0e6800925b60ffea97d4e6751b89da459784871
                                                                        • Opcode Fuzzy Hash: 494e65f1fec2b5b82a36ba5c8e54ba9972cf8e700a0e8dcc2af32822d3655c3e
                                                                        • Instruction Fuzzy Hash: AA31C611B199494FEB90BBEC58693BD77E6EF9A341F08427AE00DC32D3DD6C684183A1
                                                                        Function 00007FFD348A0925 Relevance: .1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65470661325e460fced5d1c80d058f35ea7b31781d66f2bcc23a0c2ad9436238
                                                                        • Instruction ID: 8af231402ff3036532c66eabaaa3e74bcb113d048fdd5245eb801b7a0dbc23f4
                                                                        • Opcode Fuzzy Hash: 65470661325e460fced5d1c80d058f35ea7b31781d66f2bcc23a0c2ad9436238
                                                                        • Instruction Fuzzy Hash: E2316D74B19A0E8FEF94EFA884B56ADBBA5FF99300F540579D009D32C6CE78A841C750
                                                                        Function 00007FFD348A1FD1 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2693601081.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ffd348a0000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0f8197790cfb5e18ce888003659f9c0b7ceec8f86274757227a45ee68a302421
                                                                        • Instruction ID: d84793a68baef07d863101d11cebe92a52d47e6033dbe78f108cd99d9dd43664
                                                                        • Opcode Fuzzy Hash: 0f8197790cfb5e18ce888003659f9c0b7ceec8f86274757227a45ee68a302421
                                                                        • Instruction Fuzzy Hash: 8D012B55A0E7C10FE792AB7858B54357FF09F92301B0804BBDA88CB1D7DD5C9944D3A2

                                                                        Executed Functions

                                                                        Function 00007FFD34881659 Relevance: .6, Instructions: 628COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 568762659073714684a99c233a9d269dd80acaee68739608d5d0a74962da2b5a
                                                                        • Instruction ID: dd61f62491476f323025c1971a3d152eb7244ebb663e083f63e44bbd086e7173
                                                                        • Opcode Fuzzy Hash: 568762659073714684a99c233a9d269dd80acaee68739608d5d0a74962da2b5a
                                                                        • Instruction Fuzzy Hash: D812D471B18A094FE7A8EB6C84B93B977D2FF99310F440579E44EC3296DE38B8419781
                                                                        Function 00007FFD34881E1D Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: de39bce91063feb66bf5b51136dfbb3c6b79bb4a46c64e4b3bd47110e3d723fc
                                                                        • Instruction ID: 0dc644d8c6eb09a8469469c5bdaa8a3113a586cbc0057f67a25985556c6cb576
                                                                        • Opcode Fuzzy Hash: de39bce91063feb66bf5b51136dfbb3c6b79bb4a46c64e4b3bd47110e3d723fc
                                                                        • Instruction Fuzzy Hash: BF51EF20B1E6C94FE796A7B858B52B67FD9DF87215B0800FBE089C71A3DD185846C342
                                                                        Function 00007FFD34880BCE Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc74b4669e0ec4e06a642722c42734cd967214399c1a8aa54016c23352c9f705
                                                                        • Instruction ID: f7ec640a886abc9f73bcedd6d69feccf30b24c2fde2adbdc657028fe459367e3
                                                                        • Opcode Fuzzy Hash: bc74b4669e0ec4e06a642722c42734cd967214399c1a8aa54016c23352c9f705
                                                                        • Instruction Fuzzy Hash: D4510621B0EB860FE3A6A77848652B57FD6EF97210B0905FAD489C7193DC1D6C468351
                                                                        Function 00007FFD34880540 Relevance: .1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5896eb373f1df6e59f9497e95b826abcdd2a7343f0e57206028836235ddee731
                                                                        • Instruction ID: 64d4f9c9e01c859abf40a64e0096b0c822cd8de02e7675c8b7849c6dd331bd14
                                                                        • Opcode Fuzzy Hash: 5896eb373f1df6e59f9497e95b826abcdd2a7343f0e57206028836235ddee731
                                                                        • Instruction Fuzzy Hash: 8F31B521B1C9490FE7A8EB6C94AA37976C6EFD9315F0405BEE00EC32D3DD68AC418341
                                                                        Function 00007FFD34880A69 Relevance: .1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef7f7cc0ac325a81d71bc21ff77586afc238fbf219a5391c60592088120c2e4e
                                                                        • Instruction ID: a237d9266e17a84a8c34ec0ba0cb0d641afa4d584f6fd177d3b26b77f00d6805
                                                                        • Opcode Fuzzy Hash: ef7f7cc0ac325a81d71bc21ff77586afc238fbf219a5391c60592088120c2e4e
                                                                        • Instruction Fuzzy Hash: DC31A821B18A495FE791BBEC58793BE76E5EF9A311F14027AE00DC31D3DD2C68419391
                                                                        Function 00007FFD34880925 Relevance: .1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5446998fcc9cc4e8de88672903332d929a0bcc39b8577ce954a3f5261eba99e2
                                                                        • Instruction ID: e85fd034433480933827b66cb5d4e3194c3d8ea1e1b4df3164424eaab8c72992
                                                                        • Opcode Fuzzy Hash: 5446998fcc9cc4e8de88672903332d929a0bcc39b8577ce954a3f5261eba99e2
                                                                        • Instruction Fuzzy Hash: 48316034B18A0E8FEB94EBA884756EE7BB1FF89300F540575D009D3286DE38B8858780
                                                                        Function 00007FFD34881FD1 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2768628678.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffd34880000_X.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e0fa98a6e60d836cf20ec5d88f656ac28a5b0baf734a2bb6ca715c5d40b8c88
                                                                        • Instruction ID: 827309e2234027c7a8b614df62bee4192d714f04677aa261c0e5636f5bef0f65
                                                                        • Opcode Fuzzy Hash: 8e0fa98a6e60d836cf20ec5d88f656ac28a5b0baf734a2bb6ca715c5d40b8c88
                                                                        • Instruction Fuzzy Hash: C001F755A0D7810FE382A77858B94717FF0DF92301B0804BAE988CB197DD0DA9849392