Edit tour

Windows Analysis Report
CTIPUPiILj.exe

Overview

General Information

Sample name:	CTIPUPiILj.exe renamed because original name is a hash value
Original sample name:	4597cfda7c207de66f7d4c09ec509270N.exe
Analysis ID:	1483224
MD5:	4597cfda7c207de66f7d4c09ec509270
SHA1:	f7734f30994e12c4bdf8149d7a9df617a01dd603
SHA256:	60804fac251fabf3531dce8797bcb197d92c24c9244033534ce8df3752202832
Tags:	exe
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

CTIPUPiILj.exe (PID: 4080 cmdline: "C:\Users\user\Desktop\CTIPUPiILj.exe" MD5: 4597CFDA7C207DE66F7D4C09EC509270)

powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTIPUPiILj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4424 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

System (PID: 6476 cmdline: C:\Users\user\AppData\Roaming\System MD5: 4597CFDA7C207DE66F7D4C09EC509270)

System (PID: 1292 cmdline: C:\Users\user\AppData\Roaming\System MD5: 4597CFDA7C207DE66F7D4C09EC509270)

OpenWith.exe (PID: 2284 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

svchost.exe (PID: 736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

OpenWith.exe (PID: 5000 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

System (PID: 6456 cmdline: C:\Users\user\AppData\Roaming\System MD5: 4597CFDA7C207DE66F7D4C09EC509270)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["usually-carolina.gl.at.ply.gg"], "Port": "5041", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
CTIPUPiILj.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
CTIPUPiILj.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
CTIPUPiILj.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
CTIPUPiILj.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x83a2:$s6: VirtualBox 0x8300:$s8: Win32_ComputerSystem 0x8d68:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8e05:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8f1a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x89e0:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\System	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\System	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\System	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\System	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x83a2:$s6: VirtualBox 0x8300:$s8: Win32_ComputerSystem 0x8d68:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8e05:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8f1a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x89e0:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81a2:$s6: VirtualBox 0x8100:$s8: Win32_ComputerSystem 0x8b68:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8c05:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8d1a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e0:$cnc4: POST / HTTP/1.1
00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: CTIPUPiILj.exe PID: 4080	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: CTIPUPiILj.exe PID: 4080	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.CTIPUPiILj.exe.b80000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.CTIPUPiILj.exe.b80000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.CTIPUPiILj.exe.b80000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.CTIPUPiILj.exe.b80000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x83a2:$s6: VirtualBox 0x8300:$s8: Win32_ComputerSystem 0x8d68:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8e05:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8f1a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x89e0:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CTIPUPiILj.exe", ParentImage: C:\Users\user\Desktop\CTIPUPiILj.exe, ParentProcessId: 4080, ParentProcessName: CTIPUPiILj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', ProcessId: 984, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CTIPUPiILj.exe", ParentImage: C:\Users\user\Desktop\CTIPUPiILj.exe, ParentProcessId: 4080, ParentProcessName: CTIPUPiILj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', ProcessId: 984, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\CTIPUPiILj.exe, ProcessId: 4080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\System, CommandLine: C:\Users\user\AppData\Roaming\System, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\System, NewProcessName: C:\Users\user\AppData\Roaming\System, OriginalFileName: C:\Users\user\AppData\Roaming\System, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\System, ProcessId: 6476, ProcessName: System

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\CTIPUPiILj.exe, ProcessId: 4080, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CTIPUPiILj.exe", ParentImage: C:\Users\user\Desktop\CTIPUPiILj.exe, ParentProcessId: 4080, ParentProcessName: CTIPUPiILj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System", ProcessId: 4424, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CTIPUPiILj.exe", ParentImage: C:\Users\user\Desktop\CTIPUPiILj.exe, ParentProcessId: 4080, ParentProcessName: CTIPUPiILj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe', ProcessId: 984, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 736, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.5 - Destination IP: 147.185.221.20

Timestamp:	2024-07-26T21:21:02.849493+0200
SID:	2855924
Source Port:	52915
Destination Port:	5041
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T21:19:40.459077+0200
SID:	2022930
Source Port:	443
Destination Port:	52905
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T21:19:20.559496+0200
SID:	2022930
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.5 - Destination IP: 147.185.221.20

Timestamp:	2024-07-26T21:20:08.102572+0200
SID:	2855924
Source Port:	52906
Destination Port:	5041
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T21:19:39.426701+0200
SID:	2022930
Source Port:	443
Destination Port:	52904
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CTIPUPiILj.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\System

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: CTIPUPiILj.exe

Malware Configuration Extractor: Xworm {"C2 url": ["usually-carolina.gl.at.ply.gg"], "Port": "5041", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\System

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: CTIPUPiILj.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\System

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CTIPUPiILj.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: CTIPUPiILj.exe	String decryptor: usually-carolina.gl.at.ply.gg
Source: CTIPUPiILj.exe	String decryptor: 5041
Source: CTIPUPiILj.exe	String decryptor: <123456789>
Source: CTIPUPiILj.exe	String decryptor: <Xwormmm>
Source: CTIPUPiILj.exe	String decryptor: solara
Source: CTIPUPiILj.exe	String decryptor: USB.exe
Source: CTIPUPiILj.exe	String decryptor: %AppData%
Source: CTIPUPiILj.exe	String decryptor: System

Source: CTIPUPiILj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CTIPUPiILj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: usually-carolina.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:52906 -> 147.185.221.20:5041

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.20 147.185.221.20

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: usually-carolina.gl.at.ply.gg

Source: powershell.exe, 00000002.00000002.2108916935.0000020FC3127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2516863513.0000015576524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic_
Source: powershell.exe, 00000002.00000002.2108916935.0000020FC3127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: svchost.exe, 00000013.00000002.3264742939.00000238ACC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.19.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: CTIPUPiILj.exe, System.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.2100768618.0000020FBAA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181906507.00000240AE760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306212530.000001D99006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2514248521.00000155762E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2082488609.0000020FAAC28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E91A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CTIPUPiILj.exe, 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2082488609.0000020FAAA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555DE91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2082488609.0000020FAAC28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E91A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2192782230.00000240B6C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000008.00000002.2331359743.000001D9F75E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.2082488609.0000020FAAA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555DE91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000013.00000003.2674373262.00000238ACA40000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2100768618.0000020FBAA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181906507.00000240AE760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306212530.000001D99006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: CTIPUPiILj.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: System.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: CTIPUPiILj.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\System, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F26A22	0_2_00007FF848F26A22
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F2155E	0_2_00007FF848F2155E
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F25C76	0_2_00007FF848F25C76
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F21F41	0_2_00007FF848F21F41
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F21CA1	0_2_00007FF848F21CA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8490130E9	5_2_00007FF8490130E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848FE2E11	10_2_00007FF848FE2E11
Source: C:\Users\user\AppData\Roaming\System	Code function: 16_2_00007FF848F1155E	16_2_00007FF848F1155E
Source: C:\Users\user\AppData\Roaming\System	Code function: 16_2_00007FF848F11CA1	16_2_00007FF848F11CA1
Source: C:\Users\user\AppData\Roaming\System	Code function: 17_2_00007FF848F1155E	17_2_00007FF848F1155E
Source: C:\Users\user\AppData\Roaming\System	Code function: 17_2_00007FF848F11CA1	17_2_00007FF848F11CA1
Source: C:\Users\user\AppData\Roaming\System	Code function: 21_2_00007FF848F1155E	21_2_00007FF848F1155E

Source: CTIPUPiILj.exe, 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesolaraVIP.exe4 vs CTIPUPiILj.exe
Source: CTIPUPiILj.exe	Binary or memory string: OriginalFilenamesolaraVIP.exe4 vs CTIPUPiILj.exe

Source: CTIPUPiILj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CTIPUPiILj.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\System, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: CTIPUPiILj.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: CTIPUPiILj.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: CTIPUPiILj.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: System.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: System.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: System.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: System.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: System.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: CTIPUPiILj.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: CTIPUPiILj.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/25@3/3

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Roaming\System

Jump to behavior

Source: C:\Users\user\AppData\Roaming\System	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Mutant created: \Sessions\1\BaseNamedObjects\y68FICsbms72xDoX

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: CTIPUPiILj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CTIPUPiILj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CTIPUPiILj.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File read: C:\Users\user\Desktop\CTIPUPiILj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CTIPUPiILj.exe "C:\Users\user\Desktop\CTIPUPiILj.exe"
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTIPUPiILj.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\System C:\Users\user\AppData\Roaming\System
Source: unknown	Process created: C:\Users\user\AppData\Roaming\System C:\Users\user\AppData\Roaming\System
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\System C:\Users\user\AppData\Roaming\System
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTIPUPiILj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System"	Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\System	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: System.lnk.0.dr

LNK file: ..\..\..\..\..\System

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CTIPUPiILj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CTIPUPiILj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: CTIPUPiILj.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: CTIPUPiILj.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: System.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: System.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: CTIPUPiILj.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: CTIPUPiILj.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: CTIPUPiILj.exe, Messages.cs	.Net Code: Memory
Source: System.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: System.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: System.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F285FD push eax; ret	0_2_00007FF848F2867B
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F28648 push eax; ret	0_2_00007FF848F2867B
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F27C2D push E95D90C9h; ret	0_2_00007FF848F27C79
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F27C7B push E95D90C9h; ret	0_2_00007FF848F27C79
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E2D2A5 pushad ; iretd	2_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F400BD pushad ; iretd	2_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848E2D2A5 pushad ; iretd	5_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F400BD pushad ; iretd	5_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848E0D2A5 pushad ; iretd	8_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F200BD pushad ; iretd	8_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848FF1519 pushad ; iretd	8_2_00007FF848FF1539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848DFD2A5 pushad ; iretd	10_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F100BD pushad ; iretd	10_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\System	Code function: 16_2_00007FF848F100BD pushad ; iretd	16_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\System	Code function: 17_2_00007FF848F100BD pushad ; iretd	17_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\System	Code function: 21_2_00007FF848F100BD pushad ; iretd	21_2_00007FF848F100C1

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Roaming\System

Jump to dropped file

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Roaming\System

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System"

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System			Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\System	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CTIPUPiILj.exe, 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: CTIPUPiILj.exe, System.0.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 1AB40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 9B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 1A880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 12C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\System	Memory allocated: 1B000000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\System	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\System	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Window / User API: threadDelayed 6044	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Window / User API: threadDelayed 3803	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5092	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4743	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5870	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3823	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7052	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2542	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6614
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3069

Source: C:\Users\user\Desktop\CTIPUPiILj.exe TID: 5596	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3944	Thread sleep count: 5870 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 3823 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6948	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep count: 7052 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep count: 2542 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\System TID: 2828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\System TID: 5788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2848	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\System	Last function: Thread delayed

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\System	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\System	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\System	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\System	Thread delayed: delay time: 922337203685477

Source: System.0.dr	Binary or memory string: vmware
Source: svchost.exe, 00000013.00000002.3261965410.00000238A762B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3264921269.00000238ACC54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CTIPUPiILj.exe, 00000000.00000002.3311277938.000000001BC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Code function: 0_2_00007FF848F27200 CheckRemoteDebuggerPresent,

0_2_00007FF848F27200

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\System	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\System	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\System	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTIPUPiILj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System"	Jump to behavior

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Queries volume information: C:\Users\user\Desktop\CTIPUPiILj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\System	Queries volume information: C:\Users\user\AppData\Roaming\System VolumeInformation
Source: C:\Users\user\AppData\Roaming\System	Queries volume information: C:\Users\user\AppData\Roaming\System VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\System	Queries volume information: C:\Users\user\AppData\Roaming\System VolumeInformation

Source: C:\Users\user\Desktop\CTIPUPiILj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Source: CTIPUPiILj.exe, 00000000.00000002.3311277938.000000001BD3E000.00000004.00000020.00020000.00000000.sdmp, CTIPUPiILj.exe, 00000000.00000002.3311277938.000000001BC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: CTIPUPiILj.exe, 00000000.00000002.3311277938.000000001BC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpeng.exe

Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\CTIPUPiILj.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: CTIPUPiILj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.CTIPUPiILj.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTIPUPiILj.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	551 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	161 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
CTIPUPiILj.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
CTIPUPiILj.exe	100%	Avira	TR/Spy.Gen
CTIPUPiILj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\System	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\System	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\System	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://crl.mic	0%	Avira URL Cloud	safe
usually-carolina.gl.at.ply.gg	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/Prod/C:	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://crl.mic_	0%	Avira URL Cloud	safe
http://crl.micft.cMicRosof	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://osoft.co	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	true	unknown
usually-carolina.gl.at.ply.gg	147.185.221.20	true	true	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
usually-carolina.gl.at.ply.gg	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod/C:	edb.log.19.dr, qmgr.db.19.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2100768618.0000020FBAA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181906507.00000240AE760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306212530.000001D99006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2082488609.0000020FAAC28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E91A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic_	powershell.exe, 0000000A.00000002.2516863513.0000015576524000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2082488609.0000020FAAC28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E91A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2100768618.0000020FBAA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181906507.00000240AE760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306212530.000001D99006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000008.00000002.2331359743.000001D9F75E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000002.00000002.2108916935.0000020FC3127000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.2492045445.000001556DEFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://osoft.co	powershell.exe, 0000000A.00000002.2514248521.00000155762E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000013.00000002.3264742939.00000238ACC00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000013.00000003.2674373262.00000238ACA40000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr	false	URL Reputation: safe	unknown
http://www.microsoft.	powershell.exe, 00000005.00000002.2192782230.00000240B6C00000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micft.cMicRosof	powershell.exe, 00000002.00000002.2108916935.0000020FC3127000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2082488609.0000020FAAA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555DE91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CTIPUPiILj.exe, 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2082488609.0000020FAAA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2136314106.000002409E6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2221426999.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2377631032.000001555DE91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.2377631032.000001555E0BA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
147.185.221.20	usually-carolina.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483224
Start date and time:	2024-07-26 21:18:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CTIPUPiILj.exe renamed because original name is a hash value
Original Sample Name:	4597cfda7c207de66f7d4c09ec509270N.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/25@3/3
EGA Information:	Successful, ratio: 12.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target System, PID 1292 because it is empty
Execution Graph export aborted for target System, PID 6456 because it is empty
Execution Graph export aborted for target System, PID 6476 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6220 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6468 because it is empty
Execution Graph export aborted for target powershell.exe, PID 984 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: CTIPUPiILj.exe

Simulations

Behavior and APIs

Time	Type	Description
15:19:03	API Interceptor	49x Sleep call for process: powershell.exe modified
15:19:51	API Interceptor	940043x Sleep call for process: CTIPUPiILj.exe modified
15:20:04	API Interceptor	2x Sleep call for process: svchost.exe modified
15:20:04	API Interceptor	2x Sleep call for process: OpenWith.exe modified
21:19:53	Task Scheduler	Run new task: System path: C:\Users\user\AppData\Roaming\System
21:19:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System C:\Users\user\AppData\Roaming\System
21:20:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System C:\Users\user\AppData\Roaming\System
21:20:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Built.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	ip-api.com/json
	LisectAVT_2403002A_1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
147.185.221.20	Ekpb7jn7mf.exe	Get hash	malicious	RedLine, XWorm	Browse	pst-child.gl.at.ply.gg:9336/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Built.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	208.95.112.1
	LisectAVT_2403002A_1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	LisectAVT_2403002A_135.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	LisectAVT_2403002B_484.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.19
	LisectAVT_2403002B_484.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.19
	LisectAVT_2403002C_149.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	LisectAVT_2403002C_28.exe	Get hash	malicious	Remcos	Browse	147.185.221.18
	sv6ieteV0j.exe	Get hash	malicious	Njrat, PureLog Stealer	Browse	147.185.221.21
	Ym4vc47pgk.elf	Get hash	malicious	Unknown	Browse	147.184.134.179
	Windows Defender.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	setup.exe	Get hash	malicious	RedLine	Browse	147.185.221.21
	setup.exe	Get hash	malicious	RedLine	Browse	147.185.221.21
TUT-ASUS	Built.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	LisectAVT_2403002A_1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.830726815445972
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugi:gJjJGtpTq2yv1AuNZRY3diu8iBVqFk
MD5:	9CE35823CE65FFE54E1A08C58E56A954
SHA1:	2D5E7D376CBF01378E8ED7C172B30438C5F34CE6
SHA-256:	62604DB449236EE0E2C05F680DE0193BC61C8A8B14AD9C11911020D8AC37F03E
SHA-512:	EBB9956856C15F920BFD1802C7244AB8F9EF514923C03A8DDD484C677A951D8511A44664A3B1884C7DC91CBA630F6EEB504F16EB97B51FBCA840867AC94027F9
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x5a2d7364, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585597772418026
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	564D5970F6DF7179C6AB4144CA5F1DAB
SHA1:	43D5939846892AB44E2D1A62E713CC999A717784
SHA-256:	976ECFAECEA14E820114254B862A47E4C8649FA459C2BCE777C900744A2D94B8
SHA-512:	35DFFCDE667060956E265E0913F93F8C8622A17DBA58240BD58D01299F40A67ECD6888C449DD9725E3C3511F78CBA3D3DAB9BC79F595A4983E9FF340E8FC0795
Malicious:	false
Preview:	Z-sd... ...............X\...;...{......................0.z..........{.......\|I.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................h......\|I....................B.....\|I..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08103879496757932
Encrypted:	false
SSDEEP:	3:yil8YeWK6sBVGuAJkhvekl1wnhsNallrekGltll/SPj:yil8zx7rxlen6oJe3l
MD5:	176109D128C3F2CD8673FDE203ADFE34
SHA1:	39D7CC05006DC1A6B5990C3B07F296276FCC7E10
SHA-256:	18F2ECA79FA5F9A4C452E74310C7396810E175D61F97434F6A0866FD6B2D8874
SHA-512:	820E0357ACC53789A27F97CAB4E6CAE3C0DDC236CC97A7A6D630C6D8D1578BFD37D315B2EBD5B6D7C6C2DD15DA1BD24486D009C82100EC05CF54577A033DA5E3
Malicious:	false
Preview:	........................................;...{.......\|I......{...............{.......{...XL......{.....................B.....\|I.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.log

Download File

Process:	C:\Users\user\AppData\Roaming\System
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\CTIPUPiILj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04mzi5c1.e2s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ii0eyct.03j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ip1nvfe.vhk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xrj5cw2.vjy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qmkzsdr.jpm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bzyz3jz.teb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wv5ne0j.jxt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bngvm1dp.qnh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjwa5z33.qh5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ef2dv2v3.4gf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcqn3pmw.n3u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmjmlvdq.wht.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pe1h2ycy.ynr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rubsvzex.ru3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqsablrj.3xy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suulfdin.mml.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Download File

Process:	C:\Users\user\Desktop\CTIPUPiILj.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jul 26 18:19:51 2024, mtime=Fri Jul 26 18:19:51 2024, atime=Fri Jul 26 18:19:51 2024, length=42496, window=hide
Category:	dropped
Size (bytes):	736
Entropy (8bit):	5.005394560830984
Encrypted:	false
SSDEEP:	12:8Js4fC388C2lsY//TZLj0KEjA3SHWfTWgK1Qxo1Qx3mV:8jfCs8hZLVjOA3Z7WgKR4m
MD5:	69EC900528EAFF23E27B8C6BF25B4F77
SHA1:	D1316202126263C3BBBDAC79696DC58A29B1AE48
SHA-256:	D4F3415651FF6EDE004CDC8FB0F41C56A4FB89521EDD02BCC1323DBEF2D36FF3
SHA-512:	7DBFAF1549385DB95F071684260B2AA0476FCE06DF83479B6D0BAC134E187FE086AA86C3F3BB605C04B6F1D6E0713BAD5472D067353A6D3A6756351B77EB9DA6
Malicious:	false
Preview:	L..................F.... ....B......B......B.............................h.:..DG..Yr?.D..U..k0.&...&...... M.....[.^.....]..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X\.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X[...Roaming.@......DWSl.X[.....C.......................'.R.o.a.m.i.n.g.....T.2......Xz. .System..>.......Xz..Xz...........................G9B.S.y.s.t.e.m.......U...............-.......T.............K=.....C:\Users\user\AppData\Roaming\System........\.....\.....\.....\.....\.S.y.s.t.e.m.`.......X.......065367...........hT..CrF.f4... .....K...,...W..hT..CrF.f4... .....K...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\System

Download File

Process:	C:\Users\user\Desktop\CTIPUPiILj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42496
Entropy (8bit):	5.547472530014845
Encrypted:	false
SSDEEP:	768:NmrJDweBDuOkScrbsN/x6eqCAr43MxfJF5Pa9p+36iOwhW3/ibR:N0DwewicrbsN/YVRrNRF49I36iOwQad
MD5:	4597CFDA7C207DE66F7D4C09EC509270
SHA1:	F7734F30994E12C4BDF8149D7A9DF617A01DD603
SHA-256:	60804FAC251FABF3531DCE8797BCB197D92C24C9244033534CE8DF3752202832
SHA-512:	D48FF6BB61875D5547A5F8033EE4152066644D4992A59B65F36A6C04280DAD04CCDC14805243955BB2C6B7E0F9948F9D6D090855A3EDBD8226A77B6D7D7CDBCA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nT.f................................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D^..h[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.547472530014845
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CTIPUPiILj.exe
File size:	42'496 bytes
MD5:	4597cfda7c207de66f7d4c09ec509270
SHA1:	f7734f30994e12c4bdf8149d7a9df617a01dd603
SHA256:	60804fac251fabf3531dce8797bcb197d92c24c9244033534ce8df3752202832
SHA512:	d48ff6bb61875d5547a5f8033ee4152066644d4992a59b65f36a6c04280dad04ccdc14805243955bb2c6b7e0f9948f9d6d090855a3edbd8226a77b6d7d7cdbca
SSDEEP:	768:NmrJDweBDuOkScrbsN/x6eqCAr43MxfJF5Pa9p+36iOwhW3/ibR:N0DwewicrbsN/YVRrNRF49I36iOwQad
TLSH:	7D133A457BE50226D5FF6BF918B362060A71F6038D13DB9E4CD88A9B1B37BC08A017D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nT.f................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40b9fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669E546E [Mon Jul 22 12:45:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb9ac	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9a04	0x9c00	8fdf3d0a783d32aa420182dfc1426bfa	False	0.486904046474359	data	5.661589601798919	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4e0	0x600	0dc307ba6d9ce9945e6f6800c9146989	False	0.376953125	data	3.730219216270614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	fe2bb0504d9a334a0d77fe5d08da898c	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x24c	data			0.47278911564625853
RT_MANIFEST	0xc2f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T21:21:02.849493+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	52915	5041	192.168.2.5	147.185.221.20
2024-07-26T21:19:40.459077+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	52905	20.12.23.50	192.168.2.5
2024-07-26T21:19:20.559496+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49705	40.68.123.157	192.168.2.5
2024-07-26T21:20:08.102572+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	52906	5041	192.168.2.5	147.185.221.20
2024-07-26T21:19:39.426701+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	52904	20.12.23.50	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:19:03.372679949 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:19:03.378513098 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 21:19:03.378608942 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:19:03.379477978 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:19:03.384502888 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 21:19:03.903254032 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 21:19:03.958583117 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:19:53.262105942 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:19:53.267010927 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:19:53.267177105 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:19:53.300937891 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:19:53.305978060 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:08.102571964 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:08.107533932 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:12.138489962 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 21:20:12.138585091 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:20:15.314358950 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:15.314721107 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:15.314826965 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.315171957 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:15.315222025 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.411765099 CEST	52906	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.413743019 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.416780949 CEST	5041	52906	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:15.418539047 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:15.422327995 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.495407104 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:15.500343084 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:25.724827051 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:25.730214119 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:35.958946943 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:35.968558073 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:36.776238918 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:36.776427031 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:38.255490065 CEST	52913	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:38.256903887 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:38.261223078 CEST	5041	52913	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:38.261718035 CEST	5041	52914	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:38.261775017 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:38.291588068 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:38.297020912 CEST	5041	52914	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:43.913865089 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 21:20:43.919183969 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 21:20:50.474661112 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:20:50.479576111 CEST	5041	52914	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:59.651556969 CEST	5041	52914	147.185.221.20	192.168.2.5
Jul 26, 2024 21:20:59.651658058 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:01.302369118 CEST	52914	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:01.305123091 CEST	52915	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:01.309026957 CEST	5041	52914	147.185.221.20	192.168.2.5
Jul 26, 2024 21:21:01.322094917 CEST	5041	52915	147.185.221.20	192.168.2.5
Jul 26, 2024 21:21:01.324594975 CEST	52915	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:01.436542034 CEST	52915	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:01.443604946 CEST	5041	52915	147.185.221.20	192.168.2.5
Jul 26, 2024 21:21:02.849493027 CEST	52915	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:02.989001036 CEST	5041	52915	147.185.221.20	192.168.2.5
Jul 26, 2024 21:21:10.568228960 CEST	52915	5041	192.168.2.5	147.185.221.20
Jul 26, 2024 21:21:10.582155943 CEST	5041	52915	147.185.221.20	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:19:03.335829973 CEST	49882	53	192.168.2.5	1.1.1.1
Jul 26, 2024 21:19:03.364607096 CEST	53	49882	1.1.1.1	192.168.2.5
Jul 26, 2024 21:19:34.800626993 CEST	53	62962	162.159.36.2	192.168.2.5
Jul 26, 2024 21:19:35.355279922 CEST	55426	53	192.168.2.5	1.1.1.1
Jul 26, 2024 21:19:35.363972902 CEST	53	55426	1.1.1.1	192.168.2.5
Jul 26, 2024 21:19:53.010853052 CEST	60556	53	192.168.2.5	1.1.1.1
Jul 26, 2024 21:19:53.251527071 CEST	53	60556	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 21:19:03.335829973 CEST	192.168.2.5	1.1.1.1	0x8f3d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 21:19:35.355279922 CEST	192.168.2.5	1.1.1.1	0x7f67	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 21:19:53.010853052 CEST	192.168.2.5	1.1.1.1	0xf048	Standard query (0)	usually-carolina.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 21:19:03.364607096 CEST	1.1.1.1	192.168.2.5	0x8f3d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 26, 2024 21:19:35.363972902 CEST	1.1.1.1	192.168.2.5	0x7f67	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 21:19:53.251527071 CEST	1.1.1.1	192.168.2.5	0xf048	No error (0)	usually-carolina.gl.at.ply.gg		147.185.221.20	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	4080	C:\Users\user\Desktop\CTIPUPiILj.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:19:03.379477978 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 26, 2024 21:19:03.903254032 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 19:19:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	15:18:58
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\CTIPUPiILj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CTIPUPiILj.exe"
Imagebase:	0xb80000
File size:	42'496 bytes
MD5 hash:	4597CFDA7C207DE66F7D4C09EC509270
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2012834594.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3270360962.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:19:02
Start date:	26/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CTIPUPiILj.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:19:02
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:19:08
Start date:	26/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTIPUPiILj.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:19:08
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:19:17
Start date:	26/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:19:17
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:19:31
Start date:	26/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:19:31
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:19:51
Start date:	26/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\user\AppData\Roaming\System"
Imagebase:	0x7ff75de20000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:19:51
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:19:53
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\System
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\System
Imagebase:	0x900000
File size:	42'496 bytes
MD5 hash:	4597CFDA7C207DE66F7D4C09EC509270
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:20:01
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\System
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\System
Imagebase:	0x480000
File size:	42'496 bytes
MD5 hash:	4597CFDA7C207DE66F7D4C09EC509270
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:20:04
Start date:	26/07/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff7b5d80000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:20:04
Start date:	26/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	15:20:12
Start date:	26/07/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff7b5d80000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:21:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\System
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\System
Imagebase:	0xd90000
File size:	42'496 bytes
MD5 hash:	4597CFDA7C207DE66F7D4C09EC509270
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	56
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF848F27200 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[H, xrefs: 00007FF848F27201

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID: p[H
API String ID: 0-2622596012
Opcode ID: 7cbe70b418709fb4025954ced97f242600c1b1d096015041bec6989a0ce27156
Instruction ID: 97fc08d4f6f9116fc1cb1344a2f8966cdc00dbd5abf290a3751c7f4943bf51b6
Opcode Fuzzy Hash: 7cbe70b418709fb4025954ced97f242600c1b1d096015041bec6989a0ce27156
Instruction Fuzzy Hash: 77417931D0CA498FDB18EF6CA84A6F97BE0FF62351F04017BD089D71C2DB64A80687A1

Function 00007FF848F2155E Relevance: 1.8, Strings: 1, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N_H, xrefs: 00007FF848F21A6F

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID: N_H
API String ID: 0-1910052747
Opcode ID: 4854399e840c1d4de221d6dc999c0bd70f61b354b8434433f3df2b0cd14b2a97
Instruction ID: 58941f5931d75882b11a760af2e22c09f9f0f8ba0791ea995d3ddc3007e0d1e7
Opcode Fuzzy Hash: 4854399e840c1d4de221d6dc999c0bd70f61b354b8434433f3df2b0cd14b2a97
Instruction Fuzzy Hash: 2B02E431B2DA499FE798FB2C549527AB7D2FF98780F540679D40EC32C2DE2CA8418745

Function 00007FF848F25C76 Relevance: .5, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f95f563f0e0e1c897c87e433ca4c1ae6e623172efadf736cacc37be9d1849f
Instruction ID: 3129f0563fed360ae2ef51ae477535240a1204b05a161b71adac056be6235e21
Opcode Fuzzy Hash: 35f95f563f0e0e1c897c87e433ca4c1ae6e623172efadf736cacc37be9d1849f
Instruction Fuzzy Hash: 1AF1A33091CA4D8FEBA8EF28D8557E937D1FF58350F04426EE84DC7295DB39A9418B82

Function 00007FF848F26A22 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4849ecad1011c7db9d1fed8de50fd7fe3e352537bebbc574a142bacf3db27720
Instruction ID: afc1ee91b9c4ff8d6d2f68600e757ccbb959c7ea13bade3277288f5bece3e4ab
Opcode Fuzzy Hash: 4849ecad1011c7db9d1fed8de50fd7fe3e352537bebbc574a142bacf3db27720
Instruction Fuzzy Hash: 68E1A13090CA8D8FEBA8EF28D8557E977E1EF54351F04426AD84DC7291CB79A9408B86

Function 00007FF848F21F41 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8806f8fd07d1e8ac22b5931d63ec25e36662b662b438ee9037364f150e62ec
Instruction ID: f6029cfb13657e5b0569600b87e01f8ed49a3a5b29575cb4a2537fa4e2b2fc04
Opcode Fuzzy Hash: bf8806f8fd07d1e8ac22b5931d63ec25e36662b662b438ee9037364f150e62ec
Instruction Fuzzy Hash: 4CC1C070F2D9094FEB88FB689465679B6D2FF98380F14057AD45EC32D2DF39A8028749

Function 00007FF848F21CA1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fccff417be95a09d36dc2626d0ba958edea881185060310acb334cf634d080c
Instruction ID: 5f38f14e95a0fb14b237cb919ba668fd5fa9c91c7ff1d542038c1bfc15c85527
Opcode Fuzzy Hash: 3fccff417be95a09d36dc2626d0ba958edea881185060310acb334cf634d080c
Instruction Fuzzy Hash: 40513520A5E6C95FD786AB7868642B5BFD1DF87269F0801FBE08DC71D3DE181846C34A

Function 00007FF848F285FD Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M_^', xrefs: 00007FF848F2876A
M_^, xrefs: 00007FF848F287C9
M_^, xrefs: 00007FF848F2862A

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^'
API String ID: 0-2610381986
Opcode ID: 1b2c3ac1af835a9b6a6f3016272a076f7b681aa68bf87d28e48776ebc2146e81
Instruction ID: 8865ae288da9f2eeda98a7a139003db3a65ff1e0569546c0c8b92b7f2d42dfe4
Opcode Fuzzy Hash: 1b2c3ac1af835a9b6a6f3016272a076f7b681aa68bf87d28e48776ebc2146e81
Instruction Fuzzy Hash: 19E16631E2EA898FE755FB38A8592B9BBE0FF55390F5401BAD049C31C3EE2D68058745

Function 00007FF848F2873D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M_^', xrefs: 00007FF848F2876A
M_^, xrefs: 00007FF848F287C9

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID:
String ID: M_^$M_^'
API String ID: 0-2866444206
Opcode ID: d47266567e8669b0556cd82f09a0a2b5abbfe9871ada46c7cf150dba35482e88
Instruction ID: adca62a7ef9869a512dba1bc49b6c438eb36202314c28c8c36629e5262684401
Opcode Fuzzy Hash: d47266567e8669b0556cd82f09a0a2b5abbfe9871ada46c7cf150dba35482e88
Instruction Fuzzy Hash: B451643290C6488FDB19EF6CE8556E9BBE0FF51324F04027ED09AC3582EB386446CB95

Function 00007FF848F29248 Relevance: 1.7, APIs: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF848F29342

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 17c110289051bea5eabd5f6c4199664a2e7e2cf8fc265b8bd66f78b47221387c
Instruction ID: 12bec7be7c80aab83ac2260e2600a7bcbeffe59104c04be166f511cd876a7d03
Opcode Fuzzy Hash: 17c110289051bea5eabd5f6c4199664a2e7e2cf8fc265b8bd66f78b47221387c
Instruction Fuzzy Hash: 11514531D0CA888FE719EB68A849AF9BBE0FF51311F08017ED089835C3DB296846C795

Function 00007FF848F29798 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF848F29861

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 04860ba2ff1acc1b7fa481672015bca6092940c1b487a7cc4c13f625cb78d9ff
Instruction ID: 1d61a785b086687158ccc39d27c9cb4824e4ea99d43199d386f812eb57649d28
Opcode Fuzzy Hash: 04860ba2ff1acc1b7fa481672015bca6092940c1b487a7cc4c13f625cb78d9ff
Instruction Fuzzy Hash: CE411830A1CA4C4FDB18EB68A8066F97BE1EB59311F10023ED049C3692CF65A852C7C5

Function 00007FF848F27631 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF848F276E0

Memory Dump Source

Source File: 00000000.00000002.3320886696.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_CTIPUPiILj.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d208164bb681e53912bec77cf4dc0f706f00abe88e08da4371de0415f0c2ec8d
Instruction ID: 6e820ed98d52153bfd5593922bd5c54f8af72ed58ad19272e15ca0837d87e793
Opcode Fuzzy Hash: d208164bb681e53912bec77cf4dc0f706f00abe88e08da4371de0415f0c2ec8d
Instruction Fuzzy Hash: 6C31E23190875C8FCB58DF58C84A7E97BE0FF65311F05426BD489D7282DB34A846CB91

Analysis Process: powershell.exePID: 984, Parent PID: 4080COMMON

Executed Functions

Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

(B&I, xrefs: 00007FF849016974
(B&I, xrefs: 00007FF84901678C
(B&I, xrefs: 00007FF849016858
(B&I, xrefs: 00007FF8490167C3
(B&I, xrefs: 00007FF8490166ED

Memory Dump Source

Source File: 00000002.00000002.2111957329.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: (B&I$(B&I$(B&I$(B&I$(B&I
API String ID: 0-1750599480
Opcode ID: 44ea72e18c27a371c83dd6654db5560428419a889706fffb9f979074e5e2abdb
Instruction ID: 9ab8e2b8c4319e30ca9c2faf3910fe9ccf63faa6d2d78139b8f2d0969de22bb4
Opcode Fuzzy Hash: 44ea72e18c27a371c83dd6654db5560428419a889706fffb9f979074e5e2abdb
Instruction Fuzzy Hash: B3D14332D0EAC99FEB65AF6858165B5BBA0EF05794F0801FBD44CC7193EA19EC05C351

Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

8>&I, xrefs: 00007FF84901413A

Memory Dump Source

Source File: 00000002.00000002.2111957329.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: 8>&I
API String ID: 0-4142972376
Opcode ID: c5ccbcf74733ba0a24fecf19e6f2692be26198925cc6b1c47c1bde8d9a11f832
Instruction ID: d8d2eaacafca3da93b08a4ebe6bf6c84e007e29ec1c29d6f750015a3bf30ebf0
Opcode Fuzzy Hash: c5ccbcf74733ba0a24fecf19e6f2692be26198925cc6b1c47c1bde8d9a11f832
Instruction Fuzzy Hash: 59511C32E0DA8A8FEBA9EE2C541267577E1EF55360F5801BEC14DC72A3EE25EC058351

Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

8>&I, xrefs: 00007FF84901413A

Memory Dump Source

Source File: 00000002.00000002.2111957329.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: 8>&I
API String ID: 0-4142972376
Opcode ID: 9e969e7cedbab8cb57d5fde0d9e87082ba059c14e648ac94b36a25908de938bb
Instruction ID: 235ffcf855f60173f3d59113e732218f31fbddad59e0a2ae01acb43bc57ed614
Opcode Fuzzy Hash: 9e969e7cedbab8cb57d5fde0d9e87082ba059c14e648ac94b36a25908de938bb
Instruction Fuzzy Hash: 6B21D232E0D9C78FEBB9EF2C546217476D5EF64290B5901BAC05DC71B2EE29DC058341

Function 00007FF848F4A042 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d331260da86edbcd94f334ac8581bf9a764845500ae31992c52f39921ece327
Instruction ID: 1e6bb95966e475be51bacf9bb2c2778279050d78b41108fa12c82a6e49217f23
Opcode Fuzzy Hash: 3d331260da86edbcd94f334ac8581bf9a764845500ae31992c52f39921ece327
Instruction Fuzzy Hash: 5741B67281E6C55FD752AB7C98A60E53F70EF22658F0901F7D088CE0E3EA1C5899C756

Function 00007FF848F49D38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a8f829d754237e0c62b44b6e8a601433121befa8c0b6e3dda3a560450177f4
Instruction ID: 8f2ed0716e71638501bf091ad7fbb91ac898f9ba111c2498769153f27c01d2e8
Opcode Fuzzy Hash: 10a8f829d754237e0c62b44b6e8a601433121befa8c0b6e3dda3a560450177f4
Instruction Fuzzy Hash: 90F0827181CA8C8FDB45EF2898195A87FE0FF79201F0401EBE40DD71A1EB259958CB82

Function 00007FF848E2E380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2110650319.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a4b13c5af9488bb3efa72b6191a686f06eba0a0ec41d285526c404880e57c4
Instruction ID: 486fcd6d7b2fca5b33626c33bb4d06170d9134252360de43b895ba5441dacc7a
Opcode Fuzzy Hash: d3a4b13c5af9488bb3efa72b6191a686f06eba0a0ec41d285526c404880e57c4
Instruction Fuzzy Hash: 5841037080DBC54FE7569B2898459923FB0FF52361F1502EFD088CB1A3D729E846C792

Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500260e04babb9e0ca2101663a77e8f9123a9655a291f244aa9e505c4bece819
Instruction ID: 767bbbb7523fca47cc31559997e4d78cae44a5bb3602bce22f5693877355f23a
Opcode Fuzzy Hash: 500260e04babb9e0ca2101663a77e8f9123a9655a291f244aa9e505c4bece819
Instruction Fuzzy Hash: 44310C31A1CB485FDB18DF5CA80A6E97BE0FBA9710F10412FE449D3651DB70A8568BC2

Function 00007FF848F4A62C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f749025866da2123a8b74d532e1705a6b9b3441cbd32ecee7ea6b4d7517f8b
Instruction ID: dc631e290ddab7b687f708c29f24100b9653d46b68d8aea33291f8b4b582399f
Opcode Fuzzy Hash: 58f749025866da2123a8b74d532e1705a6b9b3441cbd32ecee7ea6b4d7517f8b
Instruction Fuzzy Hash: D921F83190CB4C4FEB59DB6C984A7E97FF0EBA6321F04416FD048C3192DA75A45ACB91

Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45

Function 00007FF8490143FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2111957329.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a8e8068aa103d31cf44199b66f0bedceb7322ddf4199fa6c37290098859fa0
Instruction ID: bb50d7f3506dc65e537612623d1a409f9fecc91189a9756c986bd02ba1ffb60e
Opcode Fuzzy Hash: a7a8e8068aa103d31cf44199b66f0bedceb7322ddf4199fa6c37290098859fa0
Instruction Fuzzy Hash: E7F09A31A0C5858FEB64EF5CA4458A8B7E0FF05360B4500B6E15DC70A3EB2AEC50C764

Non-executed Functions

Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K_^4, xrefs: 00007FF848F48BFA
K_^7, xrefs: 00007FF848F48C12
K_^F, xrefs: 00007FF848F48C7A
K_^J, xrefs: 00007FF848F48C8A

Memory Dump Source

Source File: 00000002.00000002.2111342070.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID: K_^4$K_^7$K_^F$K_^J
API String ID: 0-377281160
Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

Analysis Process: powershell.exePID: 6220, Parent PID: 4080COMMON

Executed Functions

Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 436COMMON

Download Yara Rule

Strings

(B%I, xrefs: 00007FF8490166ED
(B%I, xrefs: 00007FF84901678C
(B%I, xrefs: 00007FF849016858
(B%I, xrefs: 00007FF8490167C3
(B%I, xrefs: 00007FF849016974

Memory Dump Source

Source File: 00000005.00000002.2197022564.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: (B%I$(B%I$(B%I$(B%I$(B%I
API String ID: 0-1877043794
Opcode ID: de94489e326f5d3c943dd3530879a1b5b76c7468b5ce7d8675631ba2a75aedf3
Instruction ID: 50e3a6e9929cc66b6afb317e367429be9c39b7d04f9209fa4509ae61acaf4db6
Opcode Fuzzy Hash: de94489e326f5d3c943dd3530879a1b5b76c7468b5ce7d8675631ba2a75aedf3
Instruction Fuzzy Hash: 3FD14432D0EACA9FEB65AF6858165B5BBA0EF06394F0801FBD04DC7193EA19EC01C351

Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

8>%I, xrefs: 00007FF84901413A

Memory Dump Source

Source File: 00000005.00000002.2197022564.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: 8>%I
API String ID: 0-3722309147
Opcode ID: 946f48e1d84be3374e02d6d998904e22259939e4c5cb3d230592726bf17739e7
Instruction ID: 06617a49406c08b7f8170abd7849d831f85ca002bda03e43a8d14e6c833bd1fb
Opcode Fuzzy Hash: 946f48e1d84be3374e02d6d998904e22259939e4c5cb3d230592726bf17739e7
Instruction Fuzzy Hash: 35511C32E0DA8A8FEBA9EE2C541267577E1EF55360F5801BEC14DC72A3EE25EC058341

Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

8>%I, xrefs: 00007FF84901413A

Memory Dump Source

Source File: 00000005.00000002.2197022564.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID: 8>%I
API String ID: 0-3722309147
Opcode ID: 5d0dee9f01cf747bb54e864a6490ee0c396616afd6c0290037111f181f2215f1
Instruction ID: b86f92cf879ddd4b41aae7b180c36a28430ed941bd5a270b1bd81286b66b9189
Opcode Fuzzy Hash: 5d0dee9f01cf747bb54e864a6490ee0c396616afd6c0290037111f181f2215f1
Instruction Fuzzy Hash: 7421D232E0D9C78FEBB9EF2C546217476D5EF642A0B5901BAC05DC71B2EE29EC048341

Function 00007FF848F49770 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418917cc3572b0107dc9b96a218021c6c40fef3a2056212d3ff041fd3ad693d4
Instruction ID: f5243f184871f96800446ad5e33dfba61a1ce4605b3c09d21b82176e98dc5c5e
Opcode Fuzzy Hash: 418917cc3572b0107dc9b96a218021c6c40fef3a2056212d3ff041fd3ad693d4
Instruction Fuzzy Hash: 3341FA31A1CB884FD719DF1CA8066A97BF0FB69711F10416FD049D3692CA656846CBC6

Function 00007FF848E2F360 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2195822871.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fb9bb62ed997e27acae70acc9dac157de1124a9f9d2355b338257f468f6797
Instruction ID: 54aca9ac519211291a780394e99db57051644ce18d0253f76ef7b2ae946f3268
Opcode Fuzzy Hash: 69fb9bb62ed997e27acae70acc9dac157de1124a9f9d2355b338257f468f6797
Instruction Fuzzy Hash: A241163080DBC44FE7669B2998419523FF0FF56360F1501EFD488CB1A3C625A846C792

Function 00007FF848F4A49C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b69e8ab837b3a79d781f9b4a88b17dc18238313334b758d35cb342f4bdac2b6
Instruction ID: 0dd573f3feb5401c1573e279b6e3314c2e4f09da9a84580321d0d1785ec766e4
Opcode Fuzzy Hash: 1b69e8ab837b3a79d781f9b4a88b17dc18238313334b758d35cb342f4bdac2b6
Instruction Fuzzy Hash: 95210C3190C74C4FDB59DB6C984A7E97FF0EB66321F04416BD048C31A6D674A45ACB91

Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45

Function 00007FF848F4A0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d71dfed12fe92a774ff85587ef58b13ecad9fc43bf17b8c315ac6da7ac3e17
Instruction ID: ccd444a28d97cb814a8bcf1ce956cd5ad342aa907862a1319c4d30e677bc1d14
Opcode Fuzzy Hash: 00d71dfed12fe92a774ff85587ef58b13ecad9fc43bf17b8c315ac6da7ac3e17
Instruction Fuzzy Hash: F6F0FC7640D9CC4FDB42EF3CA8690E9BFA0FFA5204F0402EBD449C7191D7215958CB81

Function 00007FF8490143FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2197022564.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
Instruction ID: bb50d7f3506dc65e537612623d1a409f9fecc91189a9756c986bd02ba1ffb60e
Opcode Fuzzy Hash: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
Instruction Fuzzy Hash: E7F09A31A0C5858FEB64EF5CA4458A8B7E0FF05360B4500B6E15DC70A3EB2AEC50C764

Non-executed Functions

Function 00007FF848F48BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON

Download Yara Rule

Strings

K_^4, xrefs: 00007FF848F48BC2
K_^5, xrefs: 00007FF848F48BC9
K_^U, xrefs: 00007FF848F48C8A
K_^Y, xrefs: 00007FF848F48CAA
K_^N, xrefs: 00007FF848F48C62
K_^@, xrefs: 00007FF848F48C22

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
API String ID: 0-4293504607
Opcode ID: b566d55ea3ec92bc99b1b2bf300636615cba95e409f92dfec8104dd451d841a8
Instruction ID: 3b04767f684739b1fed80b958d36bc035f27632ba70f6874722682e4975b8c8b
Opcode Fuzzy Hash: b566d55ea3ec92bc99b1b2bf300636615cba95e409f92dfec8104dd451d841a8
Instruction Fuzzy Hash: 2431297771E52A6ED601767CB8811E967A0EF947B9B8403B7D188CF043CE1C608B86D8

Function 00007FF848F489F2 Relevance: 6.4, Strings: 5, Instructions: 102COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF848F48A12
K_^, xrefs: 00007FF848F48AC9
K_^, xrefs: 00007FF848F48A7A
K_^, xrefs: 00007FF848F48A6A
K_^, xrefs: 00007FF848F489F2

Memory Dump Source

Source File: 00000005.00000002.2196452314.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-4077390204
Opcode ID: ff221f57fbe57ec32a90671c2308206f7565a67e7932b9b6110124098499c666
Instruction ID: 25ec86d1cdaea04f700abf08d28e99f8563842a3b6e465c6e08b73ee7b955597
Opcode Fuzzy Hash: ff221f57fbe57ec32a90671c2308206f7565a67e7932b9b6110124098499c666
Instruction Fuzzy Hash: C531DAB391D5C21FE34A573858650E6BFA0EF6279CB0D01FAC4C89E0C3EE9968478655

Analysis Process: powershell.exePID: 4296, Parent PID: 4080COMMON

Executed Functions

Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 433COMMON

Download Yara Rule

Strings

(B#I, xrefs: 00007FF848FF67C3
(B#I, xrefs: 00007FF848FF678C
(B#I, xrefs: 00007FF848FF6858
(B#I, xrefs: 00007FF848FF66ED
(B#I, xrefs: 00007FF848FF6974

Memory Dump Source

Source File: 00000008.00000002.2338530347.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: (B#I$(B#I$(B#I$(B#I$(B#I
API String ID: 0-1620291718
Opcode ID: b016d05a5c1ba52f7d4fa0ab7a6b8a4602402980792f3cdec8c30ac88e758b37
Instruction ID: 4e695a5a1e10ebc2ebdb08b879183b0d00e1f25b3d6b43fbc6deb835f5f691b2
Opcode Fuzzy Hash: b016d05a5c1ba52f7d4fa0ab7a6b8a4602402980792f3cdec8c30ac88e758b37
Instruction Fuzzy Hash: D3D11131D0EA8A9FE799AB2858155B5BBA0EF1A390F1801FFD50DCB1D3EE1CA805C355

Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FF413A

Memory Dump Source

Source File: 00000008.00000002.2338530347.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: e91d52588572478d0c904d13e2c3aac54a56f09ce5819d3f7a5d2634b82c3ffe
Instruction ID: 5898b985a238f5c4c6f79266077de4036e9d44d016ffc3ffed1a936dde447c7c
Opcode Fuzzy Hash: e91d52588572478d0c904d13e2c3aac54a56f09ce5819d3f7a5d2634b82c3ffe
Instruction Fuzzy Hash: 1F51D132A0DA4A4FE79AEB2C541167577E2FFA5260F5801BBD24EC72D3DF18E8058349

Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FF413A

Memory Dump Source

Source File: 00000008.00000002.2338530347.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: 438e21698339d78d0fa338721273e1ebb6eb52c86a9311f6e9f0bfa0ab18c5f6
Instruction ID: 4c4899a3a89e63f07b303e2d3b6a1858681216af9ab52aca89a05ffcac55f49c
Opcode Fuzzy Hash: 438e21698339d78d0fa338721273e1ebb6eb52c86a9311f6e9f0bfa0ab18c5f6
Instruction Fuzzy Hash: EE218D32E0E98B4FE7AAEB2C545117466D1FF742A0F5901BAD25DC72E2DF18EC048349

Function 00007FF848F29EF3 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2337455572.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911dcf6bb615f7d6c1ddda2a3345ecadd987359d3cbd14b987d085536d7a0d0f
Instruction ID: 63cac24a6cbfd6988d30862c6b2526360aca4e3499ea68da7102b8338ae5a3dc
Opcode Fuzzy Hash: 911dcf6bb615f7d6c1ddda2a3345ecadd987359d3cbd14b987d085536d7a0d0f
Instruction Fuzzy Hash: 0581CA3790E9D98FE742E72C78660E97B50EF12669F0902F6C4884F0D3FE1A24598759

Function 00007FF848E0EE20 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2336314381.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95e4e7e8aa32a77cdf537944ae96d452cba6735a86fc204308c059dc9934df6
Instruction ID: a07651b9d520e2eacf03d6e03c3d8e58c041f4cf2596080e34786f90a698928e
Opcode Fuzzy Hash: b95e4e7e8aa32a77cdf537944ae96d452cba6735a86fc204308c059dc9934df6
Instruction Fuzzy Hash: 4241E37180DBC94FE7569B2998459623FF0FF53360B1506EFD088CB1A3E625A846C7A2

Function 00007FF848F29768 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2337455572.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91534b22400ea9794cc60e0cd74845b6bad8b4dd5e9d5d41617b586653ee587c
Instruction ID: 4ae20ed084f0e733b8d4107b3d6a7fcb9e920384526ae03154b8dfccb9ff8068
Opcode Fuzzy Hash: 91534b22400ea9794cc60e0cd74845b6bad8b4dd5e9d5d41617b586653ee587c
Instruction Fuzzy Hash: BC31F63191CB489FDB18DB5CA8066E97BE0FB99711F00422FE44993692CB31A856CBC2

Function 00007FF848F2A47C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2337455572.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90f8a9208b77e10ac48a82ad8ba408aac5270d36c8be4bdf83b9b08fad62b1e
Instruction ID: 953f2276b53268805499a65722ca0a274d7d42d8225c671acfda9aa4e4768a0c
Opcode Fuzzy Hash: f90f8a9208b77e10ac48a82ad8ba408aac5270d36c8be4bdf83b9b08fad62b1e
Instruction Fuzzy Hash: 0A21387080D7888FE709DB689C4A6F97FE4EF52320F08429FD445DB1A3DA799846CB61

Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2337455572.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46

Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2338530347.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
Instruction ID: 7e1c3ae5898979a2193a2b7b82a81bbc69854c81746028a451958890e6b21308
Opcode Fuzzy Hash: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
Instruction Fuzzy Hash: 41F09A31A0C5458FDB54EB5CA4448A8B7E0FF15360F4500B6E15DD71A3DB2AAC608764

Non-executed Functions

Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FF848F28C8A
M_^4, xrefs: 00007FF848F28BFA
M_^7, xrefs: 00007FF848F28C12
M_^F, xrefs: 00007FF848F28C7A

Memory Dump Source

Source File: 00000008.00000002.2337455572.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

Analysis Process: powershell.exePID: 6468, Parent PID: 4080COMMON

Executed Functions

Function 00007FF848FE6605 Relevance: 7.9, Strings: 6, Instructions: 436COMMON

Download Yara Rule

Strings

(B"I, xrefs: 00007FF848FE678C
X7m, xrefs: 00007FF848FE67FD
(B"I, xrefs: 00007FF848FE67C3
(B"I, xrefs: 00007FF848FE66ED
(B"I, xrefs: 00007FF848FE6858
(B"I, xrefs: 00007FF848FE6974

Memory Dump Source

Source File: 0000000A.00000002.2524460846.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: (B"I$(B"I$(B"I$(B"I$(B"I$X7m
API String ID: 0-2483857086
Opcode ID: 27e4c58c63a3eaa5dc86aebafd9d3368358f9d6bdabed56e0ea14f708f9bb629
Instruction ID: 30df305f516d091ba06d7f24dbeacea7e1c8d5b258aba9ee17b96e2c97ae2470
Opcode Fuzzy Hash: 27e4c58c63a3eaa5dc86aebafd9d3368358f9d6bdabed56e0ea14f708f9bb629
Instruction Fuzzy Hash: B6D14131D1EA8E5FE795AB2858545B5BBA0EF163A0F1801FAD04DCB1D3EA1CA805C356

Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

8>"I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 0000000A.00000002.2524460846.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>"I
API String ID: 0-2459728092
Opcode ID: 924729ab43f1751da496430b5b507c375c63218fb02fc7b1595cb471b6bcfc83
Instruction ID: 18849732d10264153d02106bdc68b00c6e844db0a7123fa7b3cda6e891626943
Opcode Fuzzy Hash: 924729ab43f1751da496430b5b507c375c63218fb02fc7b1595cb471b6bcfc83
Instruction Fuzzy Hash: D251C232A0DE4A4FEB9AEB2C941167577E1EFA5260F5801BEC14EC72D2DF1CE8058349

Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

8>"I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 0000000A.00000002.2524460846.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>"I
API String ID: 0-2459728092
Opcode ID: 9f9ca578414c66b5348417d69f9a1caec836e5c49bc30cc285ee173b27dce723
Instruction ID: 0957681d344aa37c54ed9444562ae0c58ae630dd875684e34be0899423e941e4
Opcode Fuzzy Hash: 9f9ca578414c66b5348417d69f9a1caec836e5c49bc30cc285ee173b27dce723
Instruction Fuzzy Hash: C9218E32E0DE864FEBAAEB18945117466D1FF64290F5901BEC15DC72E2CF1CDC04824A

Function 00007FF848F1B258 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2523489598.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6aaaf33f653e5afbe08443416ab6e232b560a403001fd4f537ffd9549d45b9
Instruction ID: 78e812c8d7e67dbf7a0f6af2e3f6f874ae09321ac218dea0dd025b622dbd9b47
Opcode Fuzzy Hash: 2c6aaaf33f653e5afbe08443416ab6e232b560a403001fd4f537ffd9549d45b9
Instruction Fuzzy Hash: 8FB1483092CB898FE748EF18C8856B9BBE1FF95351F14417ED08AC3197DA25E846CB41

Function 00007FF848F19780 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2523489598.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe4c0e7e2794ff3ee900a09dfaa0a20093ee6c64132b5e3ea1d7b27b581e718
Instruction ID: d8f67498c8b9a6d6129d256210bcfea0ad30a09c7622299077d2f9b2e3f5b39f
Opcode Fuzzy Hash: ffe4c0e7e2794ff3ee900a09dfaa0a20093ee6c64132b5e3ea1d7b27b581e718
Instruction Fuzzy Hash: DB31093191CB888FDB199B1C9C066A97BF0FB59711F00426FE049C3692CA71AC56CBC2

Function 00007FF848DFEF00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2522424183.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848dfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d032b58e72f06c0707dff60bc5f68a79b853ec6c31d42b8654c285a7cd69548
Instruction ID: f32e3cadfd2adccc645f79e247ce1fc1ff67caed41356e7b3b694afe86fb11d3
Opcode Fuzzy Hash: 0d032b58e72f06c0707dff60bc5f68a79b853ec6c31d42b8654c285a7cd69548
Instruction Fuzzy Hash: 4641F67180EBC44FD7569B289855A523FF0EF57320B1901DFD088CF1A3DB25A84AC792

Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2523489598.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848F1A0FB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2523489598.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce0afef973a3df3d2ed104c5aa8e5345ca75ebb5d486ce1e035086cb8b25624
Instruction ID: 2c36be26050b34f4c5b98ebc8d0d4cc500a723851e608b6d64961b38c9c64bfe
Opcode Fuzzy Hash: 6ce0afef973a3df3d2ed104c5aa8e5345ca75ebb5d486ce1e035086cb8b25624
Instruction Fuzzy Hash: EFF0A43690CA884FD785EB2898550E4BBA0EF65351B0401BBD508C70A2DE2198488B81

Function 00007FF848FE43FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2524460846.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95979d12e795f676f893131bbb291c90def57d43d6eb7f4f04f2f1645ff55f9f
Instruction ID: abb068cdaee11bbd3e5f6210b2b69590adefcc878c7c3bfd31f67e4bc86492d2
Opcode Fuzzy Hash: 95979d12e795f676f893131bbb291c90def57d43d6eb7f4f04f2f1645ff55f9f
Instruction Fuzzy Hash: C9F09A31A0C9458FDB54EB5CA4448B8B7E0FF15360F4500BAE05DC74A3DB29AC608765

Non-executed Functions

Function 00007FF848F18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

N_^<, xrefs: 00007FF848F18C12
N_^?, xrefs: 00007FF848F18C2A
N_^N, xrefs: 00007FF848F18C72
N_^Y, xrefs: 00007FF848F18CBA
N_^8, xrefs: 00007FF848F18BF2
N_^Q, xrefs: 00007FF848F18C8A
N_^K, xrefs: 00007FF848F18C6A
N_^J, xrefs: 00007FF848F18C62

Memory Dump Source

Source File: 0000000A.00000002.2523489598.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
API String ID: 0-2388461625
Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction ID: 198e3087ebbfc7504edfa98630f772db252869f6143ea1114750b6929877bbe0
Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction Fuzzy Hash: D0212973A1A5119AC30137BCBC515D97B91EF543B874502F3E218CF113DE1C648B8796

Analysis Process: SystemPID: 6476, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F11CA1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd80cc03f0502e0783dc33bfeab9009cc5f8af1f8c589ad13423f3f1e6999fb
Instruction ID: 40e54a1268d8943326fb95b1c4a843b2a06508f5ae85cadabb9f571e100f08c0
Opcode Fuzzy Hash: 7bd80cc03f0502e0783dc33bfeab9009cc5f8af1f8c589ad13423f3f1e6999fb
Instruction Fuzzy Hash: 2351EE20A5E6C95FD786AB7858642B6BFE1DF87369F0800FAE089C71D3DE185C46C346

Function 00007FF848F10DF2 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434f792b90ab05f7827bfc53b694a513c1557e6e000d3bb3f267b5a9729a49ba
Instruction ID: 6ea6d37df1803728b0f0a188f292f371e63a830812586a69b72b502cad9959fd
Opcode Fuzzy Hash: 434f792b90ab05f7827bfc53b694a513c1557e6e000d3bb3f267b5a9729a49ba
Instruction Fuzzy Hash: 8531D032D1DAAA5FE745FB2898A51EA7BB0FF95350F4400BAC089DB2D3DE182C468354

Function 00007FF848F10E30 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a07dc81cadb3dbc5e1770db6620a5ad2d8cc04dabbdfb1440ee502ea7f1e46
Instruction ID: bb76c83bd34fc64dc96923d3210ed93e14c2bde3e6a97379ac3bfd06c987c157
Opcode Fuzzy Hash: 71a07dc81cadb3dbc5e1770db6620a5ad2d8cc04dabbdfb1440ee502ea7f1e46
Instruction Fuzzy Hash: 1521A132C1CA9A5FE785EB2888651FABFB1FF95340F4400BAC049D72D3DE286C458355

Function 00007FF848F112C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ea280ac05fd97e061e1dd7f63d895f51329be5d7372b470a40823c6af1a505
Instruction ID: 8ee9c3718347384a4dbc4789a4f42fd79a9c80c94dccb5b368ee9da12e2a9c18
Opcode Fuzzy Hash: c8ea280ac05fd97e061e1dd7f63d895f51329be5d7372b470a40823c6af1a505
Instruction Fuzzy Hash: BE717330A299595FD798BB7894A97B936E2FF99780F800479E40EC32C7DF286C01C754

Function 00007FF848F10C3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393fdc24794028e9d1a368c2edef5c2de094c2daca056b14ee9a7c25b8417ec5
Instruction ID: 2df80d87ae002ab041cb6024aa6e8f7ccedb711090f431ab771d8dff34af8365
Opcode Fuzzy Hash: 393fdc24794028e9d1a368c2edef5c2de094c2daca056b14ee9a7c25b8417ec5
Instruction Fuzzy Hash: 0B512631A1E6861FE356B73C98652B53FE1EF86260B0900FBD48DC7193DD1C5C468362

Function 00007FF848F10538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f458eaefbae832d10934a6562382df74296b91b23d3335bf552e9ce512dab4
Instruction ID: 67b010b26cb3de643e73b5bc3f41a0a142cc3e89280057733b5eda5213914210
Opcode Fuzzy Hash: 25f458eaefbae832d10934a6562382df74296b91b23d3335bf552e9ce512dab4
Instruction Fuzzy Hash: C631B231F2D9491FE698FB2C945A379B6C2EBD9355F0405BAE00EC32D3DE28AC418345

Function 00007FF848F10AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction ID: 8523ce8fb04acfc9428d0ab0eb4aa957fcd0aff42f5fc05a8c2ca4488e67a77f
Opcode Fuzzy Hash: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction Fuzzy Hash: 6131E021F2E9599FE744BB6C581A3BD77E1EBD8755F040276E40CC3282DE2C5C018761

Function 00007FF848F10985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3754ff1640ef5297e1a4f627db1b70b78750f238abb5dd09a0867958ba4677
Instruction ID: 4f0e656118d2a0f97e8f50a9f4da22f67db9cfedb963ee93367f187b1ef073a1
Opcode Fuzzy Hash: 1e3754ff1640ef5297e1a4f627db1b70b78750f238abb5dd09a0867958ba4677
Instruction Fuzzy Hash: 6A31B030E1A95A9FEB44FB68C4A57AE7BF1FF98340F540579D00AD3282DE3C68418750

Function 00007FF848F10868 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113e35543c7374869e2efdffa2c1e96cae554c4be3a1258482fcf7732038d433
Instruction ID: c9cb6807fc5cc779f2272935f41ab12280ae446dc027ad1007293bd44d50eaf2
Opcode Fuzzy Hash: 113e35543c7374869e2efdffa2c1e96cae554c4be3a1258482fcf7732038d433
Instruction Fuzzy Hash: 6921C231A5F98A5FD340EB1890E56AA3FB1FF95280FA44565D40EC3787CE3C69008761

Function 00007FF848F11E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2599171095.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c8471194f767a884df891ae34dec7586104125dfa490bd8c338f35a0824cfa
Instruction ID: 7cbc63f8ae19db8a2acfaa6a868cc135d5864d909b95e61dee802529ffe06fee
Opcode Fuzzy Hash: 37c8471194f767a884df891ae34dec7586104125dfa490bd8c338f35a0824cfa
Instruction Fuzzy Hash: 60012121D0DBD04FE742BB386861572BFE0DF92380F0804ABE889C60D7DE08BD848396

Analysis Process: SystemPID: 1292, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F11CA1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd52213420afbdb7bc29378ffff53323b3ef7025bea6f6ed5d40ef18cad6dd0c
Instruction ID: 8b2ccc94458e37b6e169c763ba8b953d09c34eda8ad6a1d419e096a1d2c0196b
Opcode Fuzzy Hash: bd52213420afbdb7bc29378ffff53323b3ef7025bea6f6ed5d40ef18cad6dd0c
Instruction Fuzzy Hash: 1951FE20A5E6C95FD786AB7858242B6BFE1DF87369F0800FAE089C71D3DE185C46C346

Function 00007FF848F10DF2 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9246217930e58452530e5c5bae09a1fdc08bbf34fc815a2a5d14027b46a323
Instruction ID: 5e987dc60bbb4a67c43d5cf03017daf221af00c92abe9b42b95e7be4106b2343
Opcode Fuzzy Hash: 6b9246217930e58452530e5c5bae09a1fdc08bbf34fc815a2a5d14027b46a323
Instruction Fuzzy Hash: DF31D236D1D99A5FE745FB2898A51EA7BB0FF95350F4400BAC089DB2D3DE2C2C4A8354

Function 00007FF848F10E30 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe7f8e7cdace9054a7bee0808ef5656f8348c34eb8a6c3d77a92af04119c9d8
Instruction ID: c6edbd7bcd1b4b65bbf0530aaca974c36d4b46400d11ca25077f4be6df42beca
Opcode Fuzzy Hash: 1fe7f8e7cdace9054a7bee0808ef5656f8348c34eb8a6c3d77a92af04119c9d8
Instruction Fuzzy Hash: 87219F32C1CA9A5FE785AB2888A51FABFB1FF95340F4500BAC049D72D3DE2C6C458354

Function 00007FF848F112C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0866f522c9ec41b44419a80797d73b6226081a3d6607efe981fda7d3a6ce7c24
Instruction ID: 3677b4b8a2b25436fdde5540cc4f5c55db00b63a82f341383ba875644f90add1
Opcode Fuzzy Hash: 0866f522c9ec41b44419a80797d73b6226081a3d6607efe981fda7d3a6ce7c24
Instruction Fuzzy Hash: 85717F31A696595FEB98F77894697B936A2FF98740F800479E40EC32C6DF2CAC01C754

Function 00007FF848F10C3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c588392c88178036a7f9817f41646eeae435fc68d635bf2ca3ab6984707c3acf
Instruction ID: c16460bb079712fcffd5679fba2f1bc1e8875458b54dd3616996fc6fd2af2a76
Opcode Fuzzy Hash: c588392c88178036a7f9817f41646eeae435fc68d635bf2ca3ab6984707c3acf
Instruction Fuzzy Hash: 33511631A1E6961FE356B73C98652B53FE1EF86660B0900FBD488C7193DD1C9C468362

Function 00007FF848F10538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c68b16b4c162f306148dd39e875be267e236d440980ab3ef48b1587c808f04
Instruction ID: 4a24a90aa81e248764dde063a185b18ac2450582c35970bcc2e4204a19514fea
Opcode Fuzzy Hash: b3c68b16b4c162f306148dd39e875be267e236d440980ab3ef48b1587c808f04
Instruction Fuzzy Hash: 4B31B231F2D9491FE698FB2C945A379B6C2EBD9355F0405BAE00EC32D3DE289C418345

Function 00007FF848F10AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction ID: 8523ce8fb04acfc9428d0ab0eb4aa957fcd0aff42f5fc05a8c2ca4488e67a77f
Opcode Fuzzy Hash: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction Fuzzy Hash: 6131E021F2E9599FE744BB6C581A3BD77E1EBD8755F040276E40CC3282DE2C5C018761

Function 00007FF848F10985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bcb77ff373d421690f727cdc7cbd23bdbdce51a0647b46283b4a7b19fd259b
Instruction ID: fa465a4451cdda52772c9119d1fcb1e12c414850ca38159be591b1f441f5558e
Opcode Fuzzy Hash: 75bcb77ff373d421690f727cdc7cbd23bdbdce51a0647b46283b4a7b19fd259b
Instruction Fuzzy Hash: 14319E30A19A1A9FEB44FB68C8657AE7BB1FF98340F500579D009D32C6DF3CA8458760

Function 00007FF848F10868 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57aeeb7336b4c152e26fc8d27fc3271ba2ef9c8c4b54dd123b3665a199cf53ad
Instruction ID: c89ef1e49c707c6265964b6aece728d7915e1a6bc6a061cb793bf736d1fe6d4c
Opcode Fuzzy Hash: 57aeeb7336b4c152e26fc8d27fc3271ba2ef9c8c4b54dd123b3665a199cf53ad
Instruction Fuzzy Hash: F421D535A9E6495FD341FB2C98A16AA3F71FF94300F804565D408C73DBCF2C6A048761

Function 00007FF848F11E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2685267502.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae856f0a781b0129b449afcab22b054d8f8fe00c8aa61d17f777b6ba4894b55
Instruction ID: f44649aa7b9cb0ebef689236013d9484906725ba1d3cffd7e664dae76550b71c
Opcode Fuzzy Hash: 2ae856f0a781b0129b449afcab22b054d8f8fe00c8aa61d17f777b6ba4894b55
Instruction Fuzzy Hash: 0D012124D0D7804FE742B7386821572BFE0DF92380F0804ABE888C60DBDA08BD848396

Analysis Process: SystemPID: 6456, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F10DF2 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecc47ec4e675a8513a0630ca5589adaec0d200ad5fca32c2daeb57bf47fdc4e
Instruction ID: 2618659a44122d61b494f4b9ef4f74fdd4154606c7ee78a384cf0e3f25c3bc3d
Opcode Fuzzy Hash: 7ecc47ec4e675a8513a0630ca5589adaec0d200ad5fca32c2daeb57bf47fdc4e
Instruction Fuzzy Hash: F331D232D1D99A5FE745FB6898651EA7BB0FF95390F4400BAC089DB2D3DE182C468354

Function 00007FF848F10E30 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c92d5e341eb9585ca66b929384ab04f26ea0cba0d663c3ede4c4a8da7842d5
Instruction ID: 1335b90d237ddbca5e933395f7688c8048fe4ce765ea49ce47393bc2f2dc6c7c
Opcode Fuzzy Hash: 29c92d5e341eb9585ca66b929384ab04f26ea0cba0d663c3ede4c4a8da7842d5
Instruction Fuzzy Hash: 42219F31C1CA9A5FE785EB6888651FABFB1FF95380F4400BAC049D72D3DE286C458354

Function 00007FF848F112C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c847e25457d98ba48df584ef8e7d606b5d8b5b92645c433ed1dede271a27772c
Instruction ID: 6b51ed65d3819b951ad882c80f84399f5ffdc6ab663cdad0a3d4fb80d78ba072
Opcode Fuzzy Hash: c847e25457d98ba48df584ef8e7d606b5d8b5b92645c433ed1dede271a27772c
Instruction Fuzzy Hash: 30714F30A2D6599FE798F77884696B936E2FF89784F800479E40EC32C6DE2D6C01C754

Function 00007FF848F10C3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8abe02a3fef97b769c3e79cd1864304b0b143c87eeb68d051e12a976b8f052e
Instruction ID: 24346ad3dd8e7dd36d6bc4153899658f313a803a3f56dbcb085223b899120fb7
Opcode Fuzzy Hash: a8abe02a3fef97b769c3e79cd1864304b0b143c87eeb68d051e12a976b8f052e
Instruction Fuzzy Hash: D3511631A1E6961FE396B73C98652B53FE1EF86664B0900FBD48CC7193DD1C5C468362

Function 00007FF848F10AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction ID: 8523ce8fb04acfc9428d0ab0eb4aa957fcd0aff42f5fc05a8c2ca4488e67a77f
Opcode Fuzzy Hash: 1e577af46bdbc9521d07759378ef593965b6855e2fd5b8d103838ca1c5ff8398
Instruction Fuzzy Hash: 6131E021F2E9599FE744BB6C581A3BD77E1EBD8755F040276E40CC3282DE2C5C018761

Function 00007FF848F10985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b756adc2f14070e380ff382adf4887434ff11a13c2ad09aa00876018463eb7dc
Instruction ID: adf557cb538614fb82bf354382baa674d55ee8040e1587f745115ca769c0cdc4
Opcode Fuzzy Hash: b756adc2f14070e380ff382adf4887434ff11a13c2ad09aa00876018463eb7dc
Instruction Fuzzy Hash: 03318D30A19A1E9FEB44FB68C4656AE7BF1FF98344F500579D009D3286DE3DA8418750

Function 00007FF848F10868 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.3270452446.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff0a777aa6117fbee863ee559e4ac06b55caf7ebd49d3c1922e84cb9b46dca7
Instruction ID: adae73702fec7f75a4ffd4ef3a0fb4a21c953ba93306f0d063c837795179a1ac
Opcode Fuzzy Hash: 1ff0a777aa6117fbee863ee559e4ac06b55caf7ebd49d3c1922e84cb9b46dca7
Instruction Fuzzy Hash: 97216434A1E58D9FE381F75884A56AE7FF1EF85288F8081A5D508C7387CE2D69408755

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CTIPUPiILj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04mzi5c1.e2s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ii0eyct.03j.ps1

Windows Analysis Report
CTIPUPiILj.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre