Edit tour

Windows Analysis Report
iLPxdpxQ3e.exe

Overview

General Information

Sample name:	iLPxdpxQ3e.exe renamed because original name is a hash value
Original sample name:	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
Analysis ID:	1546358
MD5:	3e9007a477dd81264659889b9e245c8d
SHA1:	7d784a4b63b95f2330217b88e8b1d53b54533ffd
SHA256:	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

iLPxdpxQ3e.exe (PID: 4900 cmdline: "C:\Users\user\Desktop\iLPxdpxQ3e.exe" MD5: 3E9007A477DD81264659889B9E245C8D)

powershell.exe (PID: 2828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3384 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'iLPxdpxQ3e.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["dane1c-58098.portmap.host"], "Port": "58098", "Aes key": "nigga123", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.3"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
iLPxdpxQ3e.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
iLPxdpxQ3e.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x743c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x74d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x75ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x72ae:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\DisconnectCheats	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\DisconnectCheats	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x743c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x74d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x75ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x72ae:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x723c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x72d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x73ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x70ae:$cnc4: POST / HTTP/1.1
Process Memory Space: iLPxdpxQ3e.exe PID: 4900	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.iLPxdpxQ3e.exe.70000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.iLPxdpxQ3e.exe.70000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x743c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x74d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x75ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x72ae:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iLPxdpxQ3e.exe", ParentImage: C:\Users\user\Desktop\iLPxdpxQ3e.exe, ParentProcessId: 4900, ParentProcessName: iLPxdpxQ3e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', ProcessId: 2828, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iLPxdpxQ3e.exe", ParentImage: C:\Users\user\Desktop\iLPxdpxQ3e.exe, ParentProcessId: 4900, ParentProcessName: iLPxdpxQ3e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', ProcessId: 2828, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\iLPxdpxQ3e.exe, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iLPxdpxQ3e.exe", ParentImage: C:\Users\user\Desktop\iLPxdpxQ3e.exe, ParentProcessId: 4900, ParentProcessName: iLPxdpxQ3e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe', ProcessId: 2828, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:04:17.798374+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49730	TCP
2024-10-31T20:04:59.091957+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	57765	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iLPxdpxQ3e.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\DisconnectCheats

Avira: detection malicious, Label: HEUR/AGEN.1311730

Found malware configuration

Source: iLPxdpxQ3e.exe

Malware Configuration Extractor: Xworm {"C2 url": ["dane1c-58098.portmap.host"], "Port": "58098", "Aes key": "nigga123", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.3"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\DisconnectCheats

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: iLPxdpxQ3e.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\DisconnectCheats

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: iLPxdpxQ3e.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: iLPxdpxQ3e.exe	String decryptor: dane1c-58098.portmap.host
Source: iLPxdpxQ3e.exe	String decryptor: 58098
Source: iLPxdpxQ3e.exe	String decryptor: nigga123
Source: iLPxdpxQ3e.exe	String decryptor: <Xwormmm>
Source: iLPxdpxQ3e.exe	String decryptor: XWorm V5.3
Source: iLPxdpxQ3e.exe	String decryptor: USB.exe
Source: iLPxdpxQ3e.exe	String decryptor: %LocalAppData%
Source: iLPxdpxQ3e.exe	String decryptor: DisconnectCheats

Source: iLPxdpxQ3e.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iLPxdpxQ3e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: dane1c-58098.portmap.host

Source: global traffic

TCP traffic: 192.168.2.4:57775 -> 193.161.193.99:58098

Source: Joe Sandbox View

IP Address: 193.161.193.99 193.161.193.99

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:57765

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dane1c-58098.portmap.host

Source: powershell.exe, 00000007.00000002.2034241216.0000021DA4EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000007.00000002.2034241216.0000021DA4EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000000B.00000002.2245127681.0000020A566D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000001.00000002.1765854112.000001EA38312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862751633.0000024A4A912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2013900059.0000021D9CA32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1745365971.000001EA284C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3AAC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8CBE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: iLPxdpxQ3e.exe, 00000000.00000002.2921002669.0000000002351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1745365971.000001EA282A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3A8A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8C9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1745365971.000001EA284C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3AAC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8CBE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1745365971.000001EA282A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3A8A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8C9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1765854112.000001EA38312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862751633.0000024A4A912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2013900059.0000021D9CA32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: iLPxdpxQ3e.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.iLPxdpxQ3e.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\DisconnectCheats, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Code function: 0_2_00007FFD9BAB7784	0_2_00007FFD9BAB7784
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Code function: 0_2_00007FFD9BAB69D4	0_2_00007FFD9BAB69D4
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Code function: 0_2_00007FFD9BAB05A8	0_2_00007FFD9BAB05A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BB62E11	1_2_00007FFD9BB62E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BAB53F2	7_2_00007FFD9BAB53F2

Source: iLPxdpxQ3e.exe, 00000000.00000000.1673311479.00000000000BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisconnectLoader.exe4 vs iLPxdpxQ3e.exe
Source: iLPxdpxQ3e.exe, 00000000.00000002.2930674052.00000000123A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDisconnectLoader.exe4 vs iLPxdpxQ3e.exe
Source: iLPxdpxQ3e.exe	Binary or memory string: OriginalFilenameDisconnectLoader.exe4 vs iLPxdpxQ3e.exe

Source: iLPxdpxQ3e.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iLPxdpxQ3e.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.iLPxdpxQ3e.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\DisconnectCheats, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: iLPxdpxQ3e.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iLPxdpxQ3e.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iLPxdpxQ3e.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DisconnectCheats.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DisconnectCheats.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DisconnectCheats.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: iLPxdpxQ3e.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: iLPxdpxQ3e.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DisconnectCheats.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DisconnectCheats.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/19@1/1

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File created: C:\Users\user\AppData\Local\DisconnectCheats

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Mutant created: \Sessions\1\BaseNamedObjects\NsX6nPqhojvO4ihe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0fdp5bm.aph.ps1

Jump to behavior

Source: iLPxdpxQ3e.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: iLPxdpxQ3e.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iLPxdpxQ3e.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File read: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iLPxdpxQ3e.exe "C:\Users\user\Desktop\iLPxdpxQ3e.exe"
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'iLPxdpxQ3e.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'iLPxdpxQ3e.exe'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: DisconnectCheats.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\DisconnectCheats

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: iLPxdpxQ3e.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iLPxdpxQ3e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: iLPxdpxQ3e.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: iLPxdpxQ3e.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DisconnectCheats.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DisconnectCheats.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: iLPxdpxQ3e.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: iLPxdpxQ3e.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: iLPxdpxQ3e.exe, Messages.cs	.Net Code: Memory
Source: DisconnectCheats.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: DisconnectCheats.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: DisconnectCheats.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Code function: 0_2_00007FFD9BAB083A push ebx; retf	0_2_00007FFD9BAB0842
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Code function: 0_2_00007FFD9BAB05A0 push ebx; retf FFEFh	0_2_00007FFD9BAB062A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B97D2A5 pushad ; iretd	1_2_00007FFD9B97D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BA9B87D push ss; iretd	1_2_00007FFD9BA9B88A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BA9B4C8 push cs; iretd	1_2_00007FFD9BA9B4EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BB62316 push 8B485F95h; iretd	1_2_00007FFD9BB6231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B9AD2A5 pushad ; iretd	4_2_00007FFD9B9AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9BAC351D pushfd ; retf	4_2_00007FFD9BAC3542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B99D2A5 pushad ; iretd	7_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B9AD2A5 pushad ; iretd	11_2_00007FFD9B9AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BAC351D pushfd ; retf	11_2_00007FFD9BAC3542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BB9491F push eax; ret	11_2_00007FFD9BB949B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BB94946 push eax; ret	11_2_00007FFD9BB949B9

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File created: C:\Users\user\AppData\Local\DisconnectCheats

Jump to dropped file

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File created: C:\Users\user\AppData\Local\DisconnectCheats

Jump to dropped file

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk

Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Memory allocated: 8F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Memory allocated: 1A350000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Window / User API: threadDelayed 7363	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Window / User API: threadDelayed 2452	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5623	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4149	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8223	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1336	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6638	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2979	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7030	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2503	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe TID: 1244	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe TID: 428	Thread sleep count: 7363 > 30	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe TID: 428	Thread sleep count: 2452 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1744	Thread sleep count: 8223 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1744	Thread sleep count: 1336 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1344	Thread sleep count: 6638 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180	Thread sleep count: 2979 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7000	Thread sleep count: 7030 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452	Thread sleep count: 2503 > 30	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: iLPxdpxQ3e.exe, 00000000.00000002.2932475857.000000001AF50000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAWder %SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'iLPxdpxQ3e.exe'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Queries volume information: C:\Users\user\Desktop\iLPxdpxQ3e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: iLPxdpxQ3e.exe, 00000000.00000002.2932475857.000000001AFEA000.00000004.00000020.00020000.00000000.sdmp, iLPxdpxQ3e.exe, 00000000.00000002.2932475857.000000001AF50000.00000004.00000020.00020000.00000000.sdmp, iLPxdpxQ3e.exe, 00000000.00000002.2932475857.000000001AFDE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\iLPxdpxQ3e.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: iLPxdpxQ3e.exe, type: SAMPLE
Source: Yara match	File source: 0.0.iLPxdpxQ3e.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iLPxdpxQ3e.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\DisconnectCheats, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: iLPxdpxQ3e.exe, type: SAMPLE
Source: Yara match	File source: 0.0.iLPxdpxQ3e.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iLPxdpxQ3e.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\DisconnectCheats, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
iLPxdpxQ3e.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
iLPxdpxQ3e.exe	100%	Avira	HEUR/AGEN.1311730
iLPxdpxQ3e.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\DisconnectCheats	100%	Avira	HEUR/AGEN.1311730
C:\Users\user\AppData\Local\DisconnectCheats	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DisconnectCheats	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crl.mic	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dane1c-58098.portmap.host	193.161.193.99	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dane1c-58098.portmap.host	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1765854112.000001EA38312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862751633.0000024A4A912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2013900059.0000021D9CA32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1745365971.000001EA284C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3AAC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8CBE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1745365971.000001EA284C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3AAC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8CBE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1765854112.000001EA38312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862751633.0000024A4A912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2013900059.0000021D9CA32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000007.00000002.2034241216.0000021DA4EAB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2208449014.0000020A4E1B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micft.cMicRosof	powershell.exe, 00000007.00000002.2034241216.0000021DA4EAB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1745365971.000001EA282A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3A8A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8C9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iLPxdpxQ3e.exe, 00000000.00000002.2921002669.0000000002351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1745365971.000001EA282A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802037434.0000024A3A8A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923225520.0000021D8C9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2071558279.0000020A3E141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2071558279.0000020A3E36A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.micros	powershell.exe, 0000000B.00000002.2245127681.0000020A566D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.161.193.99	dane1c-58098.portmap.host	Russian Federation		198134	BITREE-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546358
Start date and time:	2024-10-31 20:03:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iLPxdpxQ3e.exe renamed because original name is a hash value
Original Sample Name:	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/19@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 87 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target iLPxdpxQ3e.exe, PID 4900 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2828 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3384 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5088 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5436 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: iLPxdpxQ3e.exe

Simulations

Behavior and APIs

Time	Type	Description
15:04:01	API Interceptor	54x Sleep call for process: powershell.exe modified
15:04:58	API Interceptor	6952x Sleep call for process: iLPxdpxQ3e.exe modified
19:05:02	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.161.193.99	Yq5Gp2g2vB.exe	Get hash	malicious	RedLine	Browse	okmaq-24505.portmap.host:24505/
	JnBNepHH7K.exe	Get hash	malicious	AsyncRAT RedLine	Browse	exara32-64703.portmap.host:64703/
	99SKW728vf.exe	Get hash	malicious	RedLine	Browse	lottie9nwtina-55339.portmap.host:55339/
	amazoninvoiceAF0388d83739dee83479171dbcf.exe	Get hash	malicious	RedLine	Browse	tete2792-22120.portmap.host:22120//

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BITREE-ASRU	JJSPLOIT.V2.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	FudAm.bat	Get hash	malicious	Quasar	Browse	193.161.193.99
	runme.bat	Get hash	malicious	Quasar	Browse	193.161.193.99
	Am.ps1	Get hash	malicious	Quasar	Browse	193.161.193.99
	1.ps1	Get hash	malicious	Quasar	Browse	193.161.193.99
	fud.bat	Get hash	malicious	Quasar	Browse	193.161.193.99
	Am.bat	Get hash	malicious	Quasar	Browse	193.161.193.99
	2.bat	Get hash	malicious	Quasar	Browse	193.161.193.99
	OQVj76229I.ps1	Get hash	malicious	Quasar	Browse	193.161.193.99
	RcKCbSWLVR.exe	Get hash	malicious	Quasar	Browse	193.161.193.99

Process:	C:\Users\user\Desktop\iLPxdpxQ3e.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	305664
Entropy (8bit):	5.4411844232117925
Encrypted:	false
SSDEEP:	3072:InFK9onOjbJ2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:IFK9bJuwH77Ppj0kA
MD5:	3E9007A477DD81264659889B9E245C8D
SHA1:	7D784A4B63B95F2330217B88E8B1D53B54533FFD
SHA-256:	72905A621DA6DDC614ABF5385B2279779B556792400406B6967AB36A8B6BD39E
SHA-512:	2438EAB27F992C71FA9379DCF012AD89DB79E1C79F92FD32F384C27644891B77EF1BE5BEC96021A3A44DCBC75085BB8425CF25D8CD80D6DCA1E04B361A44A411
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\DisconnectCheats, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\DisconnectCheats, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q."g.....................(........... ........@.. ....................................@.................................8...S........%........................................................................... ............... ..H............text........ ...................... ..`.rsrc....%.......&..................@..@.reloc..............................@..B................p.......H........S..0L............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03ekwddp.vsc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50kqlwzt.ok3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cb2lysg2.ffk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clhvavz4.fpy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctjmfczu.0id.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehpi01am.1wk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enoiwdcl.qdk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fr24e1yt.z52.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfqb5ezt.lf3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdufll5a.j1n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0fdp5bm.aph.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_na3ejatq.utg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovkrls1c.aip.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5j5efbn.nlu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xn5zdfwq.4hw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl5jx5nd.veh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DisconnectCheats.lnk

Download File

Process:	C:\Users\user\Desktop\iLPxdpxQ3e.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 18:04:57 2024, mtime=Thu Oct 31 18:04:57 2024, atime=Thu Oct 31 18:04:57 2024, length=305664, window=hide
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.0476340757732405
Encrypted:	false
SSDEEP:	12:8iCZ64+1LTWC8dak/eRk5K1SkjA7fz7a1yC4UNwuLdpCUu44t2YZ/elFlSJmZmV:8zcCz52RsKbA7fzmZ9pCUNqyFm
MD5:	4F7ACE1E038C5A9CF41FBFEED8F6CAD1
SHA1:	28A3BA106D85693206F4CE4BE6EFC5C7413B1601
SHA-256:	E07086B5571342D88DE9278E2C13E2B4DCD39B23C12FF15E783719A03C911F21
SHA-512:	E9B794A5CF1226F81F3437F4EEE17494413BCDF2AEF9E0F8F17E8B7DBB29357BD639E5C7B6875E2012B5E314C7FA838CF6D5567852F5FECCD8C329D0310D8191
Malicious:	false
Preview:	L..................F.... ....o7..+...o7..+...o7..+..........................x.:..DG..Yr?.D..U..k0.&...&......vk.v......{..+...4<..+......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^_Y{............................%..A.p.p.D.a.t.a...B.P.1....._Yy...Local.<......CW.^_Y{.....b.....................^JK.L.o.c.a.l.....j.2....._Y.. .DISCON~1..R......_Y.._Y.............................9..D.i.s.c.o.n.n.e.c.t.C.h.e.a.t.s.......\...............-.......[...........y.<......C:\Users\user\AppData\Local\DisconnectCheats..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.D.i.s.c.o.n.n.e.c.t.C.h.e.a.t.s.............:...........\|....I.J.H..K..:...`.......X.......571345...........hT..CrF.f4... .z?......,.......hT..CrF.f4... .z?......,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.4411844232117925
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	iLPxdpxQ3e.exe
File size:	305'664 bytes
MD5:	3e9007a477dd81264659889b9e245c8d
SHA1:	7d784a4b63b95f2330217b88e8b1d53b54533ffd
SHA256:	72905a621da6ddc614abf5385b2279779b556792400406b6967ab36a8b6bd39e
SHA512:	2438eab27f992c71fa9379dcf012ad89db79e1c79f92fd32f384c27644891b77ef1be5bec96021a3a44dcbc75085bb8425cf25d8cd80d6dca1e04b361a44a411
SSDEEP:	3072:InFK9onOjbJ2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:IFK9bJuwH77Ppj0kA
TLSH:	1554B232BE0C48FEFF12E6B957E8BB1631693EA27D11C51497A87A414E7178FACC1484
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q."g.....................(........... ........@.. ....................................@................................

File Icon


Icon Hash:	024cccdc9839136e

Static PE Info

General

Entrypoint:	0x409f8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722BC51 [Wed Oct 30 23:08:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
dec eax
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
pushad
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
js 00007F1215022E22h
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
nop
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9f38	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x425c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7f94	0x8000	2633c8d4546d76d36146e0756f8956c4	False	0.49810791015625	data	5.724174474334731	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x425c4	0x42600	bacffccf24ce4e8de4f949ad761696bd	False	0.2948115289548023	data	5.19353595841536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc	0x200	0c4ea6f1598c429832f3e46ceede309c	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 39 x 39 px/m	0.29356895582448145
RT_GROUP_ICON	0x4c158	0x14	data	0.9
RT_VERSION	0x4c16c	0x26c	data	0.45161290322580644
RT_MANIFEST	0x4c3d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T20:04:17.798374+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49730	TCP
2024-10-31T20:04:59.091957+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	57765	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:04:59.552333117 CET	57775	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:04:59.557271004 CET	58098	57775	193.161.193.99	192.168.2.4
Oct 31, 2024 20:04:59.557356119 CET	57775	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:04:59.736763000 CET	57775	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:04:59.747098923 CET	58098	57775	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:00.166227102 CET	58098	57775	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:00.166307926 CET	57775	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:00.169296026 CET	57775	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:00.172216892 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:00.174356937 CET	58098	57775	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:00.177124023 CET	58098	57778	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:00.177194118 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:00.197462082 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:00.202408075 CET	58098	57778	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:01.039699078 CET	58098	57778	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:01.039771080 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:01.041102886 CET	58098	57778	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:01.041156054 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:04.045747995 CET	57778	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:04.050088882 CET	57803	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:04.050554037 CET	58098	57778	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:04.054922104 CET	58098	57803	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:04.055253029 CET	57803	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:04.087076902 CET	57803	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:04.091852903 CET	58098	57803	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:04.648844957 CET	58098	57803	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:04.648967028 CET	57803	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:07.903599024 CET	57803	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:07.905838013 CET	57823	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:07.908811092 CET	58098	57803	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:07.910758972 CET	58098	57823	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:07.910851002 CET	57823	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:07.926357985 CET	57823	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:07.931397915 CET	58098	57823	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:08.516293049 CET	58098	57823	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:08.516347885 CET	57823	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:11.528374910 CET	57823	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:11.529793978 CET	57837	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:11.535037041 CET	58098	57823	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:11.535928965 CET	58098	57837	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:11.536001921 CET	57837	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:11.552998066 CET	57837	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:11.558815002 CET	58098	57837	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:12.145081043 CET	58098	57837	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:12.145147085 CET	57837	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:15.653412104 CET	57837	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:15.656428099 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:15.658252954 CET	58098	57837	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:15.661350965 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:15.661418915 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:15.676687956 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:15.681431055 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:17.022109985 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:17.022164106 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:17.022305965 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:17.022305965 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:17.022475958 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:17.022520065 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:19.794111967 CET	57860	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:19.795382023 CET	57878	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:19.799005985 CET	58098	57860	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:19.800339937 CET	58098	57878	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:19.800426960 CET	57878	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:19.815825939 CET	57878	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:19.820794106 CET	58098	57878	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:20.388706923 CET	58098	57878	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:20.388787985 CET	57878	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:23.950402975 CET	57878	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:23.952611923 CET	57902	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:23.955284119 CET	58098	57878	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:23.958384991 CET	58098	57902	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:23.958630085 CET	57902	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:23.975298882 CET	57902	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:23.980923891 CET	58098	57902	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:24.560113907 CET	58098	57902	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:24.560965061 CET	57902	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:27.263362885 CET	57902	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:27.265420914 CET	57921	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:27.268393993 CET	58098	57902	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:27.270215988 CET	58098	57921	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:27.270287991 CET	57921	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:27.286096096 CET	57921	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:27.290956974 CET	58098	57921	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:27.866827011 CET	58098	57921	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:27.866894007 CET	57921	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:30.747179985 CET	57921	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:30.748425007 CET	57937	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:30.752351999 CET	58098	57921	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:30.753379107 CET	58098	57937	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:30.753462076 CET	57937	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:30.768800020 CET	57937	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:30.773798943 CET	58098	57937	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:31.349786043 CET	58098	57937	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:31.349843025 CET	57937	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:35.356734037 CET	57937	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:35.358293056 CET	57963	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:35.361603975 CET	58098	57937	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:35.363174915 CET	58098	57963	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:35.363265038 CET	57963	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:35.379164934 CET	57963	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:35.384061098 CET	58098	57963	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:35.969835997 CET	58098	57963	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:35.969914913 CET	57963	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:38.591732025 CET	57963	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:38.596627951 CET	58098	57963	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:38.604201078 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:38.609594107 CET	58098	57981	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:38.609674931 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:38.818898916 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:38.823873043 CET	58098	57981	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:39.442249060 CET	58098	57981	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:39.442311049 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:39.443197966 CET	58098	57981	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:39.443242073 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:41.747178078 CET	57981	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:41.749270916 CET	58000	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:41.752696991 CET	58098	57981	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:41.754690886 CET	58098	58000	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:41.754755020 CET	58000	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:41.772639036 CET	58000	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:41.778192043 CET	58098	58000	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:42.401722908 CET	58098	58000	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:42.401786089 CET	58000	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:45.059711933 CET	58000	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:45.061232090 CET	58016	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:45.064819098 CET	58098	58000	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:45.065999985 CET	58098	58016	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:45.066603899 CET	58016	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:45.082061052 CET	58016	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:45.087275028 CET	58098	58016	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:45.677166939 CET	58098	58016	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:45.679585934 CET	58016	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:47.341136932 CET	58016	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:47.345068932 CET	58027	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:47.347557068 CET	58098	58016	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:47.350033045 CET	58098	58027	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:47.350099087 CET	58027	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:47.385890007 CET	58027	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:47.391000032 CET	58098	58027	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:47.968441010 CET	58098	58027	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:47.968713045 CET	58027	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:49.309673071 CET	58027	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:49.311398983 CET	58037	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:49.314587116 CET	58098	58027	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:49.316329002 CET	58098	58037	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:49.316395998 CET	58037	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:49.335306883 CET	58037	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:49.340137005 CET	58098	58037	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:49.911137104 CET	58098	58037	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:49.911201954 CET	58037	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:50.669213057 CET	58037	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:50.670489073 CET	58042	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:50.674516916 CET	58098	58037	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:50.676322937 CET	58098	58042	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:50.676403999 CET	58042	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:50.691029072 CET	58042	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:50.695884943 CET	58098	58042	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:51.269634008 CET	58098	58042	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:51.269877911 CET	58042	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:52.216264009 CET	58042	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:52.218293905 CET	58043	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:52.221107006 CET	58098	58042	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:52.223148108 CET	58098	58043	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:52.226619959 CET	58043	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:52.247992039 CET	58043	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:52.252908945 CET	58098	58043	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:52.820178032 CET	58098	58043	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:52.821516037 CET	58043	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:53.357497931 CET	58043	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:53.363192081 CET	58098	58043	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:53.371575117 CET	58044	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:53.376593113 CET	58098	58044	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:53.376820087 CET	58044	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:53.481381893 CET	58044	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:53.486278057 CET	58098	58044	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:53.982986927 CET	58098	58044	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:53.983062029 CET	58044	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:54.544058084 CET	58044	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:54.545216084 CET	58045	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:54.549057007 CET	58098	58044	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:54.550162077 CET	58098	58045	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:54.550244093 CET	58045	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:54.562859058 CET	58045	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:54.567713022 CET	58098	58045	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.161448956 CET	58098	58045	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.161549091 CET	58045	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:55.325551033 CET	58045	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:55.327733994 CET	58046	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:55.330429077 CET	58098	58045	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.332643032 CET	58098	58046	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.334629059 CET	58046	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:55.355271101 CET	58046	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:55.360261917 CET	58098	58046	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.933028936 CET	58098	58046	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:55.934719086 CET	58046	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.021742105 CET	58046	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.026599884 CET	58098	58046	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.041127920 CET	58047	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.046119928 CET	58098	58047	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.046606064 CET	58047	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.221936941 CET	58047	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.226919889 CET	58098	58047	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.665039062 CET	58098	58047	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.665110111 CET	58047	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.818178892 CET	58047	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.820241928 CET	58048	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.823117018 CET	58098	58047	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.825109005 CET	58098	58048	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:56.825197935 CET	58048	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.848824978 CET	58048	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:56.854007959 CET	58098	58048	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:57.430676937 CET	58098	58048	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:57.430753946 CET	58048	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:57.559681892 CET	58048	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:57.560765982 CET	58049	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:57.565429926 CET	58098	58048	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:57.565817118 CET	58098	58049	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:57.565911055 CET	58049	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:57.579087019 CET	58049	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:57.584311962 CET	58098	58049	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:58.175424099 CET	58098	58049	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:58.175573111 CET	58049	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:58.497800112 CET	58049	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:58.499739885 CET	58050	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:58.502785921 CET	58098	58049	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:58.504642963 CET	58098	58050	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:58.504730940 CET	58050	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:58.541467905 CET	58050	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:58.546541929 CET	58098	58050	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.111862898 CET	58098	58050	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.111932039 CET	58050	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:59.325377941 CET	58050	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:59.326633930 CET	58051	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:59.330360889 CET	58098	58050	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.331760883 CET	58098	58051	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.331856012 CET	58051	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:59.345643044 CET	58051	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:05:59.350708961 CET	58098	58051	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.970305920 CET	58098	58051	193.161.193.99	192.168.2.4
Oct 31, 2024 20:05:59.974123001 CET	58051	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.122241974 CET	58051	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.123585939 CET	58052	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.127531052 CET	58098	58051	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.128866911 CET	58098	58052	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.128985882 CET	58052	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.145313025 CET	58052	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.151616096 CET	58098	58052	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.737817049 CET	58098	58052	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.738673925 CET	58052	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.856642962 CET	58052	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.858885050 CET	58053	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.862590075 CET	58098	58052	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.864361048 CET	58098	58053	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:00.864438057 CET	58053	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.888931990 CET	58053	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:00.894706011 CET	58098	58053	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:01.464570999 CET	58098	58053	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:01.464633942 CET	58053	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:01.467225075 CET	58053	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:01.472222090 CET	58054	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:01.478234053 CET	58098	58053	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:01.484493971 CET	58098	58054	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:01.484558105 CET	58054	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:01.534236908 CET	58054	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:01.539350986 CET	58098	58054	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.091357946 CET	58098	58054	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.093430042 CET	58054	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:02.122239113 CET	58054	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:02.123487949 CET	58055	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:02.127408028 CET	58098	58054	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.128571987 CET	58098	58055	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.128743887 CET	58055	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:02.145510912 CET	58055	58098	192.168.2.4	193.161.193.99
Oct 31, 2024 20:06:02.151057959 CET	58098	58055	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.727833986 CET	58098	58055	193.161.193.99	192.168.2.4
Oct 31, 2024 20:06:02.727953911 CET	58055	58098	192.168.2.4	193.161.193.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:04:20.519566059 CET	53	63959	1.1.1.1	192.168.2.4
Oct 31, 2024 20:04:59.480030060 CET	61583	53	192.168.2.4	1.1.1.1
Oct 31, 2024 20:04:59.543873072 CET	53	61583	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 20:04:59.480030060 CET	192.168.2.4	1.1.1.1	0x5b8e	Standard query (0)	dane1c-58098.portmap.host	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 20:04:59.543873072 CET	1.1.1.1	192.168.2.4	0x5b8e	No error (0)	dane1c-58098.portmap.host		193.161.193.99	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:03:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\iLPxdpxQ3e.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iLPxdpxQ3e.exe"
Imagebase:	0x70000
File size:	305'664 bytes
MD5 hash:	3E9007A477DD81264659889B9E245C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1673311479.0000000000072000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:04:00
Start date:	31/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\iLPxdpxQ3e.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:04:00
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:04:08
Start date:	31/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'iLPxdpxQ3e.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:04:08
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:04:19
Start date:	31/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\DisconnectCheats'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:04:19
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:04:34
Start date:	31/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DisconnectCheats'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:04:34
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9BAB05A8 Relevance: 1.9, Strings: 1, Instructions: 628COMMON

Download Yara Rule

Strings

SAN_^, xrefs: 00007FFD9BAB0FB6

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 3a74639439c118a6c896435128bf82aa6073d0dcd29fbf8829f6493f41a16c76
Instruction ID: 73c28440d2246b9e8c7d8360ac65a3750053f0b6092a2beb128af29b15bf25b0
Opcode Fuzzy Hash: 3a74639439c118a6c896435128bf82aa6073d0dcd29fbf8829f6493f41a16c76
Instruction Fuzzy Hash: 12121731F2DA194FE7A8EB78846AAB977D2FF98314F41057DE01DC32D6DE28A8018741

Function 00007FFD9BAB69D4 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f398e9f574ab8965206ba5b9d7480958e25bda610d2d6e6b572c1687fa30d21
Instruction ID: cea1c2866f551a158cc17167ba6b16ba896ea54e0a6336cc8efcc24d255f2256
Opcode Fuzzy Hash: 2f398e9f574ab8965206ba5b9d7480958e25bda610d2d6e6b572c1687fa30d21
Instruction Fuzzy Hash: 6DD16030A19A4D8FEBA8DF28C8557E977E1FB58300F14826EE85DC7295CF74E9418B81

Function 00007FFD9BAB7784 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f0227648e19e70096b09843201a6e892d020308170c849b1d910f9f56ecc31
Instruction ID: 068520e37f9c8dacb822a66d324ec066945de0d6d87057d2c6172fe50aec485a
Opcode Fuzzy Hash: 58f0227648e19e70096b09843201a6e892d020308170c849b1d910f9f56ecc31
Instruction Fuzzy Hash: 7ED19530A09A4E8FEBA8DF68C8557E977D1FF58310F14826ED81DC7695CFB499808B81

Function 00007FFD9BAB2DD5 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BAB2E39

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: b78018284864816b6b8aa274fe6b79f6f690668698af24e99c297b5bffaefa1c
Instruction ID: bc8451e584e8e92a4458acd583c2608af29f39dfb9fa4a508a7cde86ed9a1bb3
Opcode Fuzzy Hash: b78018284864816b6b8aa274fe6b79f6f690668698af24e99c297b5bffaefa1c
Instruction Fuzzy Hash: 00A1E5607189494BE744F7AC9865B79B3D6EFE831AF1402B6E01DC32EBCD68B841C752

Function 00007FFD9BAB83E1 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BAB8443

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 56cd8ac0370ed676977f3ed0660f7a22f632278fc07fe38aa880eb3ada8a6e75
Instruction ID: 421df60f1df7adac79c1989eba0fe8d4730fac0332deef47bef49ffa2557df0e
Opcode Fuzzy Hash: 56cd8ac0370ed676977f3ed0660f7a22f632278fc07fe38aa880eb3ada8a6e75
Instruction Fuzzy Hash: C6115C32E0E26D4FEB246BE888152FD7BA0EF15310F02017BC858D32E2DB6859408B81

Function 00007FFD9BAB1EC9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SAN_^, xrefs: 00007FFD9BAB1EE6

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 4bd5bf3139ab2be8fb9a3eb32b894fd89eb17109c237de43a14b8373a33ef6f1
Instruction ID: a2ff39252cf6825988de26010afd5e923b9f1a8ac7604760b057f588ba5afee2
Opcode Fuzzy Hash: 4bd5bf3139ab2be8fb9a3eb32b894fd89eb17109c237de43a14b8373a33ef6f1
Instruction Fuzzy Hash: AFF0C821F1D12A07E378A3B94431ABD21A25FD5320F850378E02DC71E6CEBCAA018641

Function 00007FFD9BAB27F2 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e469489afa97a9d23e852bc47a0d6cc8358a3e9e722c2515c17d714d2c62bfc5
Instruction ID: 08429f611f6cf601a50c4f5f4b954831ecf14b6bbc97ae842c2e460ceddd2e3f
Opcode Fuzzy Hash: e469489afa97a9d23e852bc47a0d6cc8358a3e9e722c2515c17d714d2c62bfc5
Instruction Fuzzy Hash: F8D16B22B0EBD91FE766A7BC68745E93FA0DF96314B0905FBE0A9CB1E3DC1819058351

Function 00007FFD9BAB28D3 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7bbed8e8d44ebc60f3b3b300fc41c2a50d45f875be8deb2ebee954715c303d
Instruction ID: 736725e5b9e5cf95c533c1f3b7f05c20af7a3b54bbbd276ca92e64c010206f98
Opcode Fuzzy Hash: ac7bbed8e8d44ebc60f3b3b300fc41c2a50d45f875be8deb2ebee954715c303d
Instruction Fuzzy Hash: 5DB17922B0EB990FD769E77C58746E93BE1DF9A314B0902BBE06DCB1E3DC1819058751

Function 00007FFD9BAB8B29 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a7b981b0ed731a9e6c7c561c8663cdf066adc74795ddb9d09ad39efd909699
Instruction ID: 053020f2d8505f742e57c6fc5ea3d353294dee27a1ca6ce91f6c40f0db3a6295
Opcode Fuzzy Hash: 25a7b981b0ed731a9e6c7c561c8663cdf066adc74795ddb9d09ad39efd909699
Instruction Fuzzy Hash: BB9169B1F0E95E0FE768EB7C88656A477D0EF55320F4502BAE02CC71E6DE6CA8068741

Function 00007FFD9BAB0700 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20673f7613c9b73d87d8a1a793abf2ad097466ca36624485811fd6e72b64a4f
Instruction ID: bc9bb04e994f276da9b5cae85a70b115e2e522e26b566f46cefd9b777adf820f
Opcode Fuzzy Hash: c20673f7613c9b73d87d8a1a793abf2ad097466ca36624485811fd6e72b64a4f
Instruction Fuzzy Hash: 9A811B62F19E1D0FE7ACAB6C54697B977D2EF98314F54027EE02EC32D6DD6868028740

Function 00007FFD9BAB7394 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584895ac68bd26213998e1d9f5ac2f9bb8cb9a58ac88a1e86e033eda1834dea4
Instruction ID: 2a5aa23f35e85dc2bba38b34aa73cccace7152ef170f985309088663ff3b3cc4
Opcode Fuzzy Hash: 584895ac68bd26213998e1d9f5ac2f9bb8cb9a58ac88a1e86e033eda1834dea4
Instruction Fuzzy Hash: 56818530A18A4D8FDBA8DF28D855BE937D1FF58311F10426EE85DC7295CE749941CB81

Function 00007FFD9BAB04F2 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76642e08c830445fa26ecc125a7a9918741d6fe8322a1d631c6af2ade6c4788
Instruction ID: af4f00d27851f94e280281833b2dc74722696efae59a46bf2620f1bc349954eb
Opcode Fuzzy Hash: c76642e08c830445fa26ecc125a7a9918741d6fe8322a1d631c6af2ade6c4788
Instruction Fuzzy Hash: 91513B22B1DA590FE358EB6C68756F877C1DF98325B0406BBF05DC72E7DD5868428381

Function 00007FFD9BAB9ADD Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556d449dd32f04ddc99bfa5b340f9388bc8e539dbcda4579554e803bbe1765dc
Instruction ID: f5dded4d9d4b47410c79ffc28b256e6c69eb52f82021b20356abdc3c62f211f1
Opcode Fuzzy Hash: 556d449dd32f04ddc99bfa5b340f9388bc8e539dbcda4579554e803bbe1765dc
Instruction Fuzzy Hash: 1D617770A0D69D8FD755DB68C829AB97FE0EF52320F0841BED05CC71E3DA686406CB51

Function 00007FFD9BAB84BD Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8529c4c27406158c8d5912880d9d079d49c1afe3233e541795ebf9c18c9ab1fa
Instruction ID: 456caec355774933e562feef181ae6a7047f558cf983f60418207ef89597af4d
Opcode Fuzzy Hash: 8529c4c27406158c8d5912880d9d079d49c1afe3233e541795ebf9c18c9ab1fa
Instruction Fuzzy Hash: 98519330A18A1C8FDB58DF58D855BEDBBF1FF98311F1042AAD05DD3296CA74A9428F81

Function 00007FFD9BAB0432 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c040a2f5789bfd4914ad33e6ef9c658f9a965b33e905c0da6fc0d3d8c40922
Instruction ID: ffa2c8b4de6d220b284f53f5255033c7fc7b3c166ca1afa183403ee56fa1978b
Opcode Fuzzy Hash: f8c040a2f5789bfd4914ad33e6ef9c658f9a965b33e905c0da6fc0d3d8c40922
Instruction Fuzzy Hash: 15514522B0DA980FE768AB6C58756F87BD1EF99325B0801FBE05DC72E7DD589C018381

Function 00007FFD9BAB906D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b049d69c4e443a421b6357ece9cb848936822442e34d31e5774c8eb56be48c
Instruction ID: 891c017a6d66ce733fc5bc5d9d30703c24ed50772acbcde214ef746abbd741fe
Opcode Fuzzy Hash: 57b049d69c4e443a421b6357ece9cb848936822442e34d31e5774c8eb56be48c
Instruction Fuzzy Hash: A8512631F1D95C5FDB95EB789869AF977E1EF88310F0501B6E01DC32E2CD28A8428B41

Function 00007FFD9BAB424C Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fc362ff0512c5595ce2a7ccc8e0749f4ad53ba2cac434ae2bf679d061b92e5
Instruction ID: 986d160daf90caf39878e3bb056d1012305d5839b0a5359b6fd752fd6dbadb8e
Opcode Fuzzy Hash: c1fc362ff0512c5595ce2a7ccc8e0749f4ad53ba2cac434ae2bf679d061b92e5
Instruction Fuzzy Hash: 33518031D08A1C8FDB68DB58D855BE9BBF1FB59310F1082AAD00DD3292DE74A9858F81

Function 00007FFD9BAB2318 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e07e7ab82c3a858bc8ed70c54be5ad68c7862cefec6c62fe3f3048c43b495
Instruction ID: cda17c03d57e288b4f057caad6bbdf15459cc519a314946ffab5dc61cdc363e8
Opcode Fuzzy Hash: 990e07e7ab82c3a858bc8ed70c54be5ad68c7862cefec6c62fe3f3048c43b495
Instruction Fuzzy Hash: 4B516D31E0E7894FE71A97B458316A4BF90EF57320F1902FAD069C71E3DE686842CB51

Function 00007FFD9BAB0728 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349e516c0c12296d5f61f1a901d72e3a9fe51c0fbc6203b9cf2a49328dcd3ce8
Instruction ID: 0f26bf4933eae9dea85929bbcd022331391c923f190a6af33d38ccfd80ae9ffc
Opcode Fuzzy Hash: 349e516c0c12296d5f61f1a901d72e3a9fe51c0fbc6203b9cf2a49328dcd3ce8
Instruction Fuzzy Hash: 9E516F30F1991D8FEB98EB6CD865AAC73E2FF88314F454175E01DD32A5CE68A9418B41

Function 00007FFD9BAB1415 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bb0d63b1e10e8915a0993db921e65a9befdb2a2a6e05b26c49a36915c5e85d
Instruction ID: bc37f8f5c086d3cd996c09b05d24c58614beaf1d918264b1230c444e62b62df3
Opcode Fuzzy Hash: 69bb0d63b1e10e8915a0993db921e65a9befdb2a2a6e05b26c49a36915c5e85d
Instruction Fuzzy Hash: 25514460B2EAC90FD79AAB7848756757FD1DF9A219F0801FAE09DC72E7CD485842C342

Function 00007FFD9BAB8DE1 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b28248ad38402d59cebbc35e284c208c560cf62dbec5e39b6723d439aea768b
Instruction ID: a99f5bba9430b24688fe0c1d20fdc7a8d8bcb1b5351fe750044ed71a4812d461
Opcode Fuzzy Hash: 8b28248ad38402d59cebbc35e284c208c560cf62dbec5e39b6723d439aea768b
Instruction Fuzzy Hash: 8151C230F1E95D4FEBA5EB6CC8616A877E1FF85310F0541BAE01DD32E6CE28A9458B41

Function 00007FFD9BAB2075 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1ba72376a89f100656fd200fa5760d1a0a010c0805eefe8c5ff7c6c498a26e
Instruction ID: 75e7b2d860f530cee9b5e90b59480026f490915bbbd41d7236898081ab30e082
Opcode Fuzzy Hash: 9f1ba72376a89f100656fd200fa5760d1a0a010c0805eefe8c5ff7c6c498a26e
Instruction Fuzzy Hash: 73418274A09A1C8FDB98EF68D469AA97BE1FF54311F04016FD00EC36A2CB75E841CB41

Function 00007FFD9BAB0BFE Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d3e08d23f42f05aae994ca010952882cfaec86efc4cbdbcfd26e2cc154291d
Instruction ID: a1a2692ba118131640b058db9c2b189d53f313ebc4bed797b11cd1b5c73c8b8d
Opcode Fuzzy Hash: 93d3e08d23f42f05aae994ca010952882cfaec86efc4cbdbcfd26e2cc154291d
Instruction Fuzzy Hash: 9E416A21B1DA9A0FE3A5AB7C48255B937D6DFD6324F0901BBD45DC32EBDD586C028342

Function 00007FFD9BAB0768 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f30a7d407bf92f9e0916a41cba00f034ab8a3d0b4b8f1ab054eaccf5e4ce55
Instruction ID: 2cdb87bfc639e1ab94b39ad7afda9efa533249f6f964715acea59ea93867d33c
Opcode Fuzzy Hash: d7f30a7d407bf92f9e0916a41cba00f034ab8a3d0b4b8f1ab054eaccf5e4ce55
Instruction Fuzzy Hash: D1416FB4A09A1D8FDBA8EF98D469AA977E5FB54311F00417FD00ED36A1CB75A841CB40

Function 00007FFD9BAB1662 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d68bb0fb57e4e1f9cdf6832fc3cf3a499f130b051c211a8c0ea35f6db78dc9
Instruction ID: 58746982383bb1ff8f734bd66e5b48039bce924f77334c775d42f043871a550d
Opcode Fuzzy Hash: e9d68bb0fb57e4e1f9cdf6832fc3cf3a499f130b051c211a8c0ea35f6db78dc9
Instruction Fuzzy Hash: 15418470B28D198FDB99F7388461AB9B2D6FF98714F5046B8E01EC32DACD39B8418741

Function 00007FFD9BAB8821 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c3538fe35d2183dad78bbf11fe978e0b1ae9511439527c582283c4a1849ddd
Instruction ID: 2243e85804c539e8fe3082cde91b534e9d32bc7e8bec80f0185d0c1cf8950532
Opcode Fuzzy Hash: e6c3538fe35d2183dad78bbf11fe978e0b1ae9511439527c582283c4a1849ddd
Instruction Fuzzy Hash: 1241B071B0A95D4FEB95EBAC84696EC77F1FF98310F04017AD41DD32A2DF2898428B41

Function 00007FFD9BAB04D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aacf1314d197664eb4f494897bb3cd77cec618261a6eeac4aa39810eb7845a7
Instruction ID: 0a04efa7c3e01799d0c0ad2970a058de4c0ab7d255fd3839bb001094427cf0a5
Opcode Fuzzy Hash: 4aacf1314d197664eb4f494897bb3cd77cec618261a6eeac4aa39810eb7845a7
Instruction Fuzzy Hash: 1B31D521B28A480FE798EB6C446A679B6C2EFD9315F0505BEF05EC72D7DD94AC428341

Function 00007FFD9BAB06F8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9588c7c6bfa762746ea88058389da8c30c4ccee72993b6b9433b6d46184263f
Instruction ID: c7ce09a9f60361ac810c0cdd8e14ccc95fa5699bb39062285197cba5a64679ba
Opcode Fuzzy Hash: c9588c7c6bfa762746ea88058389da8c30c4ccee72993b6b9433b6d46184263f
Instruction Fuzzy Hash: BD41E531F09A1E4BEB68EBA894646B9B7E1EF58310F15017DD02EC32D6DE69A8418B41

Function 00007FFD9BAB0A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a45d057aafd561d740cdccfd698addb6aaaada82386c64db0f3524c3644225
Instruction ID: 80649cd810f62d3e78559df445c2b38ee5fe68f5403a3b4b8ff17bba72bac9e4
Opcode Fuzzy Hash: 79a45d057aafd561d740cdccfd698addb6aaaada82386c64db0f3524c3644225
Instruction Fuzzy Hash: 0F312511B199590FE7A8BBBC48697B877C2EFA8715F0502BAF01DC32E7DE5869018781

Function 00007FFD9BAB125E Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fa0f4792a0f5a8f166584af220f4dfbcd0076bd2a97a212dadbe1dce295c92
Instruction ID: 2d7206cc9027d4fa098f586f1ab6f8783ef3bb45bf89ad02e6e96f0d0105628f
Opcode Fuzzy Hash: b0fa0f4792a0f5a8f166584af220f4dfbcd0076bd2a97a212dadbe1dce295c92
Instruction Fuzzy Hash: 2E313C53F2ED9A0BE7A4A76C08756B967C1EFA8694B4402BDD0AEC71DBDC5968020780

Function 00007FFD9BAB0AB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37dbc15c19ede7efcdedf1367152b7244fa17b6b2150799dbdc00b37426629d
Instruction ID: e64e92635085e93f7fd679f5edf0cee93603063d8764bcc87838e3db74f5e385
Opcode Fuzzy Hash: f37dbc15c19ede7efcdedf1367152b7244fa17b6b2150799dbdc00b37426629d
Instruction Fuzzy Hash: 6931D711B18D1D0BEBA8BBAC48697BD66C2EFAC716F05027AF01DC32D6DD5869014781

Function 00007FFD9BAB0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe30c7187c8c7332477544f8dfdab4a3a56f72c8213182a18a529985288d2956
Instruction ID: 6c76c04af6e57be9ac36d2f9f70c8d6005923dd422bd568d79fe84a6e6ef53d4
Opcode Fuzzy Hash: fe30c7187c8c7332477544f8dfdab4a3a56f72c8213182a18a529985288d2956
Instruction Fuzzy Hash: 0F31B270B18A1E8FDB48EBA88865AED7BA1FF98314F500579E01DD72D6CE386801CB40

Function 00007FFD9BAB86E9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371ab1c27243e740f9ca0b7d7b4507c18725db76ab0300cffbad281adce95a95
Instruction ID: c1f81529e488aa4fa4aecec594cdab18eed9bce784729d448d39721559f09d0f
Opcode Fuzzy Hash: 371ab1c27243e740f9ca0b7d7b4507c18725db76ab0300cffbad281adce95a95
Instruction Fuzzy Hash: 65310B71A4D99A9FEB56EB7CC4A15A83BE0EF46314F1501B6D01CC32E2DE78B841CB41

Function 00007FFD9BAB2C63 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74924f8e82aa7e2bf80a126403a1836b16f4f83fe57d6e99405f9290221713f7
Instruction ID: 13c5d764a3a9400878efb56ead15eeac5f9047ac69063980655e27efe16ca063
Opcode Fuzzy Hash: 74924f8e82aa7e2bf80a126403a1836b16f4f83fe57d6e99405f9290221713f7
Instruction Fuzzy Hash: CA116062B2CD590FD768976C24255B977C1EFC9314F40037EE05EC32D6DD5C59024781

Function 00007FFD9BAB9221 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753cb3ba1228b1434dc7a18f18ad9e552f3b8f5fed9c8734d2bad0bd86eb79a9
Instruction ID: 7c96e43d8160dc923e2a2a1e24c93cef5c8f12f0db9e03eaa1532698a54b5701
Opcode Fuzzy Hash: 753cb3ba1228b1434dc7a18f18ad9e552f3b8f5fed9c8734d2bad0bd86eb79a9
Instruction Fuzzy Hash: BB212831F0D91D4BDB68EB6894696BCB3E1EF48310F40017EE41EC72D6CE7458018B41

Function 00007FFD9BAB1CAD Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5568fd25cfff5239dc6922aeb28373c4dee87e20be0c3e9ab3904cfe1442465
Instruction ID: 6bf0dd62f6f81c8a963e3c70cfe05f5505421e1eda7111c04dad9d09b7c918c9
Opcode Fuzzy Hash: d5568fd25cfff5239dc6922aeb28373c4dee87e20be0c3e9ab3904cfe1442465
Instruction Fuzzy Hash: B1213893F1FADA5FF722177808361947F90BF73610B0E41ABD4B8060E3DA85A918C786

Function 00007FFD9BAB183D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748fb678105d48073b06adcd18370d46282c2a01b1f9197431fabf36dd5f0110
Instruction ID: 6ad9c40980409b80cd853f8eb65f8a8bfd2bc0c3b5aedee02f7bc218ecb5948a
Opcode Fuzzy Hash: 748fb678105d48073b06adcd18370d46282c2a01b1f9197431fabf36dd5f0110
Instruction Fuzzy Hash: A5113672E0959D0FDB11ABA8586A4FE7BF0FF25311F050177E02CC7192DA7C56428791

Function 00007FFD9BAB8260 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9a1e33912cff160152cd0f2ae9a8957e5fb657cf5c4358971cc176cc003726
Instruction ID: 12ba06642dcfd43155b1a70833c1c5386901f86d3e08c8d0e432c2827b065e67
Opcode Fuzzy Hash: 5c9a1e33912cff160152cd0f2ae9a8957e5fb657cf5c4358971cc176cc003726
Instruction Fuzzy Hash: 8E112572F0DD5E0FEB62E76C58265AC7BD0EFA5260F0502B3E02CC31E2DE5428014782

Function 00007FFD9BAB8A48 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abee6db1b5661d0c01a34340729e79c81343a60c5cb7d95cbf1dddb420037e53
Instruction ID: c83e6a9b20c3736a1e32038baa9f1380b284497aa0ab553bacd73b454aa70c74
Opcode Fuzzy Hash: abee6db1b5661d0c01a34340729e79c81343a60c5cb7d95cbf1dddb420037e53
Instruction Fuzzy Hash: 7F01A162B2441F4FD758E7A888625FDB772FF88340F814179E01AE71E6DD642D018B40

Function 00007FFD9BAB1870 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b3573809c19c4b3c896676126b856ddbfd75b3b1f1b8a89d45fda385f4e345
Instruction ID: 6a3bfc52b1b4cd58713de914757824ecbdfdb9df6c4e111a7d57c899848c9de8
Opcode Fuzzy Hash: 22b3573809c19c4b3c896676126b856ddbfd75b3b1f1b8a89d45fda385f4e345
Instruction Fuzzy Hash: 37F08C71F0491D4ADF44EBA898595FEBBF0FF18305F000576E41DD2299DE7559418781

Function 00007FFD9BAB15A1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626d0f740f6276bc9519f188a66dbddab7d20418d622a51feca09167c40687f3
Instruction ID: 80c55a901ca22605e4a6e3ddbb91f49c92d44cf0dca32f6fd787b1f9b6aa5a50
Opcode Fuzzy Hash: 626d0f740f6276bc9519f188a66dbddab7d20418d622a51feca09167c40687f3
Instruction Fuzzy Hash: 83019900B1D7D50FE751A73818AA8727FF0CFA2200B0805AAF8CDC60E7DC486A408782

Function 00007FFD9BAB1FFD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff74e58c31a626ca2ec00c1e58bef443bf456ff1aecbda099d5b926e18c6b35
Instruction ID: 38d8dd9a219f73c74e605499623c7667957a6cc5d40c039e7e71588dc7b262dc
Opcode Fuzzy Hash: 6ff74e58c31a626ca2ec00c1e58bef443bf456ff1aecbda099d5b926e18c6b35
Instruction Fuzzy Hash: 83014E10F1E6160FEBB467F854756782A90DF84314F4201FAE01DC61EBCD5C6D41C742

Function 00007FFD9BAB1E90 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937326324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_iLPxdpxQ3e.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0727e326ec214077953082250bfcf8aa327573be261f72537de09a27b7492e7b
Instruction ID: 6c36318f426b67e6ddd62f80ece80c5557f36695c8d862522fcfe5298bd132a2
Opcode Fuzzy Hash: 0727e326ec214077953082250bfcf8aa327573be261f72537de09a27b7492e7b
Instruction Fuzzy Hash: 86A00204D9781E01D82872FB5D9749574506B89914FC66660F81880596F8CE56E906A7

Analysis Process: powershell.exePID: 2828, Parent PID: 4900COMMON

Executed Functions

Function 00007FFD9BB66605 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

X7*8, xrefs: 00007FFD9BB667FD

Memory Dump Source

Source File: 00000001.00000002.1774477726.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID: X7*8
API String ID: 0-1236303858
Opcode ID: c0e133d3cdf123305de4dd931ef237bccdcd5c9e4722aaa33261ff9795e2407e
Instruction ID: 5680258b1724028125921fac2b60d96fc3fad2f8e58aab4029a972c650d5daf3
Opcode Fuzzy Hash: c0e133d3cdf123305de4dd931ef237bccdcd5c9e4722aaa33261ff9795e2407e
Instruction Fuzzy Hash: 19C15872B0E68E8FEBA597A858655F57B91FF56328B0901BFD44EC70E3D918AC01C341

Function 00007FFD9BA9644D Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242264c266c45d05dde0b1904564646bc621a10555076f5196884e53d2eb5c2e
Instruction ID: a271c5689f9d55c4b2f681807200c080704db5807ccb9edca390b17ae08a89d2
Opcode Fuzzy Hash: 242264c266c45d05dde0b1904564646bc621a10555076f5196884e53d2eb5c2e
Instruction Fuzzy Hash: 4ED18F31A08A4D8FDF98DF9CC465AAD7BE1FF68340F15426AD409D72A6CB74E841CB81

Function 00007FFD9BA9A0D3 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58701af45a78b9ca995dcd8a96710c37f5b98dd6e54af714e6bb34e7df83cc3
Instruction ID: f6856e1eeb342886ef56a7c5d175c4c15bbffd924ada8dce783da5daa004ebd4
Opcode Fuzzy Hash: b58701af45a78b9ca995dcd8a96710c37f5b98dd6e54af714e6bb34e7df83cc3
Instruction Fuzzy Hash: 63118F7690F7C85FD7538B38886A0903FB0EE6321170A01EBC488CB1B3D9595D4DC7A2

Function 00007FFD9BA99758 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a7ddcb5cf57ef06711d3645a4c8c1b7bf216a1aa242bd88121a2f8ae8fd607
Instruction ID: 9d638a9a5d21ef9d1925eb5d3ed641825ee037b9b564b4f9b3a6cafdeaadbb4e
Opcode Fuzzy Hash: d6a7ddcb5cf57ef06711d3645a4c8c1b7bf216a1aa242bd88121a2f8ae8fd607
Instruction Fuzzy Hash: 8B31E431A1CB4C5FDB589B5C984A6A97BE0FB98710F14822FE449C3292CA60A955CBC2

Function 00007FFD9B97E620 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1773715213.00007FFD9B97D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B97D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee054f1d7d739025062da82c1773217fdf765deda30db99491f0e3d518392d8d
Instruction ID: 110030f7b948de39a5fbc9d732e84fcd32f262b31712cdd9ac96204f68166b70
Opcode Fuzzy Hash: ee054f1d7d739025062da82c1773217fdf765deda30db99491f0e3d518392d8d
Instruction Fuzzy Hash: 0D41267140EBC45FE766DB39D8959523FF0EF52320B1905DFD088CB1A3D625A846C792

Function 00007FFD9BA9A62C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b68923c80c22dd1b7fe26616f21686355398cf5516dcf78944cebef6cbb883a
Instruction ID: 5f8f25aba78897a3858f6032a4edb5be99b8246df38342fec2de67705fbbd32e
Opcode Fuzzy Hash: 6b68923c80c22dd1b7fe26616f21686355398cf5516dcf78944cebef6cbb883a
Instruction Fuzzy Hash: F721F63090CA4C4FEB58DFACD84A7F97BF0EB96321F04426BD049C7156DA74A41ACBA1

Function 00007FFD9BB66809 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774477726.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0785271cd2ce896078db944dc26c165b776b2bad283f1af3cb79439efc7f454
Instruction ID: f5c2c55a234655af36a5a4a93101152172968b58dd67634ff378a9c070c17cd9
Opcode Fuzzy Hash: b0785271cd2ce896078db944dc26c165b776b2bad283f1af3cb79439efc7f454
Instruction Fuzzy Hash: 66112372F0E68E8FEBA4DAA890A05B87791FF18328F1541BFC14EC71E3D919AC018350

Function 00007FFD9BA933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: e3f7d4d4d58fbdedf9c6af5607cce508aaa45b5c74a85b115e698ec3b0c19091
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 3D01A73020CB0C4FD748EF0CE051AA6B3E0FF85320F10056DE58AC36A1DA32E882CB45

Function 00007FFD9BB6414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774477726.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e01ec9d512e3769760a35fdea27209628687fed6bd0e5a6a49006b60bdc86a
Instruction ID: eb7bfbab6144784c4d8d84eefc1730b158009c85478730365f3c8b411c717f41
Opcode Fuzzy Hash: 27e01ec9d512e3769760a35fdea27209628687fed6bd0e5a6a49006b60bdc86a
Instruction Fuzzy Hash: BBF09A32B0E9098FD768EB4CE4528A877E0FF5532471200BAE16DC71B3CA25EC408B40

Function 00007FFD9BB64400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774477726.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4680d9270555e964ac4be7a7b5ad5505f4d078ed15248cbb6b0a2fb0f3b1362f
Instruction ID: 64e4620421cd0bcbd2e10d8901d22167a4f14e8d102e0cbd0940c07b0051e797
Opcode Fuzzy Hash: 4680d9270555e964ac4be7a7b5ad5505f4d078ed15248cbb6b0a2fb0f3b1362f
Instruction Fuzzy Hash: 2CF0BE32B0E9498FD769EB4CE0628A877E0FF0532474200BAE15DC70A3CA26AC50C740

Function 00007FFD9BB641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1774477726.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c566b0446571b1b202708e4a8accaff3b77d1c5caeb67e9b55a4e0150a067685
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 82E0E531B0C808CFDA78DA4CE0519A977E1FB9833571201BAD14EC75A1CA22ED518B80

Non-executed Functions

Function 00007FFD9BA98BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

O_^J, xrefs: 00007FFD9BA98C8A
O_^7, xrefs: 00007FFD9BA98C12
O_^4, xrefs: 00007FFD9BA98BFA
O_^F, xrefs: 00007FFD9BA98C7A

Memory Dump Source

Source File: 00000001.00000002.1774087624.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID: O_^4$O_^7$O_^F$O_^J
API String ID: 0-875994666
Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
Instruction ID: 58069dec4aa94bcd9365a6d8c0b1d43f6191b7e03571870b7a7777fc693c9e26
Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
Instruction Fuzzy Hash: EA21D7777195259ED315BB7DBC149D93740CFE827B74502B3E1AE8F283E9147086C690

Analysis Process: powershell.exePID: 3384, Parent PID: 4900COMMON

Executed Functions

Function 00007FFD9BB96605 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1892040543.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b028513b976ff084f20ea12cbad244ca004353039a5dbd643e9e28893ef3a2
Instruction ID: 2fc43dc3640ec8db3ca0e72d0be885728998ba5c2dc1199f256a24218ee7d9e2
Opcode Fuzzy Hash: 80b028513b976ff084f20ea12cbad244ca004353039a5dbd643e9e28893ef3a2
Instruction Fuzzy Hash: 8DD13871A0EA8D0FE7A5A7A888755B57B90FF1635CB0901FFD44EC70E3D918A905C351

Function 00007FFD9BAC9885 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250678cb4e7ff6b93c4d96a6727829472e611d28518cd74df2caa8623072f2d8
Instruction ID: 663ec3127cc6ddc2cff8392f84224eca1b91806432041c908bda537e6969c234
Opcode Fuzzy Hash: 250678cb4e7ff6b93c4d96a6727829472e611d28518cd74df2caa8623072f2d8
Instruction Fuzzy Hash: 2641D931A1CB488FDB1D9B5CA84A6F8BBE0EB56331F00426FD04993592CB757456CBC6

Function 00007FFD9BACA49C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09c90875fbed8d3111523c52fb795e2b150844e61b692fe7fa0c8751e6991a9
Instruction ID: 5750d63a2d9f785fb7ef744f9ac6898deaa35d0bd656b49381d1cc7e6042fed5
Opcode Fuzzy Hash: b09c90875fbed8d3111523c52fb795e2b150844e61b692fe7fa0c8751e6991a9
Instruction Fuzzy Hash: 9541F63190C78C8EEB19DB9CE84A7F97BE0EB56331F04816BD049C3156D6746456CB91

Function 00007FFD9B9AE8EF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1890527245.00007FFD9B9AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b9ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00228cc6f5bb8e98420062aed2a92cca37a0d77871f5a609ab25dfd90933119
Instruction ID: 94a91ba66fb0ac919c5df815c8590bc1bd26410d057f08a84511a1a12301c828
Opcode Fuzzy Hash: b00228cc6f5bb8e98420062aed2a92cca37a0d77871f5a609ab25dfd90933119
Instruction Fuzzy Hash: CF31887140DFC45FE7569B3998959623FF0EF92320B1A05DFE088CB1A3D624E846C7A2

Function 00007FFD9BAC97A9 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493299e7c500aaabbe033a52ac4fc9ef6a69cee9033360a77cb36aeba99e611d
Instruction ID: d7ec443b0d62feaacb30b8cbba1615e08410dcdf6b6fc0dfea927ef453a0453f
Opcode Fuzzy Hash: 493299e7c500aaabbe033a52ac4fc9ef6a69cee9033360a77cb36aeba99e611d
Instruction Fuzzy Hash: 8331933191CB4C9FDB1CDB5CA84AAA97BE0FB99721F00422FE449D3251CA71A855CBC6

Function 00007FFD9BACA568 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff0643604bdedd7894c40cbdddff699f049ed61665918e6afce3e2e63c5c638
Instruction ID: c134fa7af72714f73af8d2fa71b4701b4d96ddf47f8134539acef7fc4e58af62
Opcode Fuzzy Hash: dff0643604bdedd7894c40cbdddff699f049ed61665918e6afce3e2e63c5c638
Instruction Fuzzy Hash: 85217B32B0CA4D0FEB99E76C94952B477D0EF55324F0481BBC44DC31E6D969AC168B41

Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45

Function 00007FFD9BACA0FB Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40173f1dc5b30d90939d5478465190bea326ffa2678844744da4edc8b2a69428
Instruction ID: dd05f0c2d5c9f67cec909961686da6b3ea142816376e4887aee5bda6ec0a12ea
Opcode Fuzzy Hash: 40173f1dc5b30d90939d5478465190bea326ffa2678844744da4edc8b2a69428
Instruction Fuzzy Hash: A5F0E976618A8C8FCB05DF2CD86A4F57FA0FF66211B0601EBE85DC7162D7619A08C7D2

Function 00007FFD9BB9414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1892040543.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610a2c1c337b6a2b5e6ce660871a3aff890198621385fbcd6fb4cb43d0a5e512
Instruction ID: dff3be58d5da59a6e60055798db2b8a763098399d44f4fb6a096feb65d3e2033
Opcode Fuzzy Hash: 610a2c1c337b6a2b5e6ce660871a3aff890198621385fbcd6fb4cb43d0a5e512
Instruction Fuzzy Hash: BEF0BE32B0E5498FD769EB5CE4528A877E0FF5532871200BAE16DC71B3CA25EC40CB40

Function 00007FFD9BB94400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1892040543.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174d0747d1edbcf2830845669fb6e63bc1438e45a6cf09ab25cfc0dae960d4f8
Instruction ID: a860d4fe79d293da9877d7f2c42bc06c271fae569f7868103a6d362e6b6b5bd3
Opcode Fuzzy Hash: 174d0747d1edbcf2830845669fb6e63bc1438e45a6cf09ab25cfc0dae960d4f8
Instruction Fuzzy Hash: D1F0E232B0E5498FDB68EB5CE0618A873E0FF0532871200BAE15DC71B3DA25EC40C740

Function 00007FFD9BB941D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1892040543.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ccd41cf97bc1051b6dfc5ab65743c2271d9af8b0340f2b08a26d56b09f0b59f9
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 9AE01A31B0C8188FDA78DB4CE0519A977E1FB9832971201BBD14EC76B1CA32ED518B80

Non-executed Functions

Function 00007FFD9BAC8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

L_^Q, xrefs: 00007FFD9BAC8C8A
L_^8, xrefs: 00007FFD9BAC8BF2
L_^Y, xrefs: 00007FFD9BAC8CBA
L_^J, xrefs: 00007FFD9BAC8C62
L_^<, xrefs: 00007FFD9BAC8C12
L_^?, xrefs: 00007FFD9BAC8C2A
L_^N, xrefs: 00007FFD9BAC8C72
L_^K, xrefs: 00007FFD9BAC8C6A

Memory Dump Source

Source File: 00000004.00000002.1891345110.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
API String ID: 0-1415242001
Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
Instruction ID: 336ad1cbfe1c429cbbc3a2013bd376653ffc9a4cad362ec817ae2c65b74884c1
Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
Instruction Fuzzy Hash: BD21F5737045154AC31576ADBC519ED6780DF6837E34552F3F628CF153DB24A48BCA80

Analysis Process: powershell.exePID: 5088, Parent PID: 4900COMMON

Executed Functions

Function 00007FFD9BB86605 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043204317.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37344948b972e332a151d44e989f20da500a43fc11811fb19bc2c32e95317441
Instruction ID: 072eefc80bf0198a493069375edaacdd7a64d72230a02288ccde314672f8bd43
Opcode Fuzzy Hash: 37344948b972e332a151d44e989f20da500a43fc11811fb19bc2c32e95317441
Instruction Fuzzy Hash: EED15871B0EACD0FE7A5ABA858655B57BA1FF16328F0901BFD44EC70E3D928A901C341

Function 00007FFD9BAB9738 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2042359634.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3139882059d2151de701a9fc84e9410bd3e86e954133448e18baf910ca3803c9
Instruction ID: 9a2455b5c2cbb50ee17ba340d30f8a69f480e5d3cb993a5a550171a91560c01f
Opcode Fuzzy Hash: 3139882059d2151de701a9fc84e9410bd3e86e954133448e18baf910ca3803c9
Instruction Fuzzy Hash: E9412771A1CA488FDB189F5C984A6B87BE0FF59310F14816FE459C3292DB74A946CBC2

Function 00007FFD9B99F360 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2041359499.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc1ed2a6ad057fd2a5bd03b8b22fd7960d0ac92776ba8dc4b01c35825399e97
Instruction ID: e9834ba446f403e991537df7ca3c49eb073a32b9ccc42357e2b694c29b670cea
Opcode Fuzzy Hash: ffc1ed2a6ad057fd2a5bd03b8b22fd7960d0ac92776ba8dc4b01c35825399e97
Instruction Fuzzy Hash: 8741367140EFC45FE7568B299856A523FF0EF57220B1601DFD088CB1A3D629B846C7A2

Function 00007FFD9BABA030 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2042359634.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5971c9e857b9627bc56f7bc5638e16a3f8e819d855ef31413072a7babe649069
Instruction ID: 244752d58f12d8b8464017d07995cc594ca7df086b1ae7882915a54023ce2ee3
Opcode Fuzzy Hash: 5971c9e857b9627bc56f7bc5638e16a3f8e819d855ef31413072a7babe649069
Instruction Fuzzy Hash: 7F310C33A0E69A5FDB15AF6C98B24E53B50DF1222EF4902F3E8AD8F093DD196444C651

Function 00007FFD9BABA47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2042359634.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d0af79d3bc7e74ed3fabb9b2d0891d440cad5bd765e65c1450ef5779a48001
Instruction ID: ee662a65d71c3bd937e8c36c6e3ff8d44bb9b0559666d0c55adebc9e1d65de1b
Opcode Fuzzy Hash: 36d0af79d3bc7e74ed3fabb9b2d0891d440cad5bd765e65c1450ef5779a48001
Instruction Fuzzy Hash: 7621063090CB4C8FDB59DBAC984A7E97FE0EB96321F04426BD458C7162DA749416CB92

Function 00007FFD9BAB33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2042359634.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 17cf545b06c68c12749fae18c059a1fd3c0929f1bc305d672c46b898a287b68f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8301A73120CB0C4FD748EF0CE051AA6B3E0FF85320F10056EE58AC36A1DA32E882CB45

Function 00007FFD9BB8414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043204317.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dba9d76889624a406877836084e652c4904b6ce35d777c561981f3fe48975e9
Instruction ID: 1ff671abfd7b81726637bfb545c983dfc5d5c0dec7f655590d6e362dbc9ea09c
Opcode Fuzzy Hash: 6dba9d76889624a406877836084e652c4904b6ce35d777c561981f3fe48975e9
Instruction Fuzzy Hash: 62F0B432B0D9494FD769EA5CE45189477E0FF55324B1200BAE16DC71B3CA35EC40C740

Function 00007FFD9BB84400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043204317.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe21d3e30557c9504d28f9512cd7ce472d1f300f9e47b19f11554841cbbf870
Instruction ID: 2486f7667508c09e8216a629c6fd03a6a43991b6c3862a9f2376355b3c52c4ee
Opcode Fuzzy Hash: afe21d3e30557c9504d28f9512cd7ce472d1f300f9e47b19f11554841cbbf870
Instruction Fuzzy Hash: DDF05E32A0E9498FD7A9EA5CE4618A877E0FF45328B5600BAE15DC74A3DA25AC50C750

Function 00007FFD9BB841D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043204317.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 2dff48247507cb871ad432cab4ca7b8e5aeb9198aba82777103ccfbb354ce81a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 6CE01A31B0C8088FDAB9EA4CE0519A977E1FB98325B1201BBD14EC75B1CA32ED518B80

Non-executed Functions

Function 00007FFD9BAB8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FFD9BAB8C8A
M_^7, xrefs: 00007FFD9BAB8C12
M_^F, xrefs: 00007FFD9BAB8C7A
M_^4, xrefs: 00007FFD9BAB8BFA

Memory Dump Source

Source File: 00000007.00000002.2042359634.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 62e749294f243f73b03f876d386388aef594bfc7f5e75aab27cdd844d1464f7b
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: 7121C5A77085659ED316BB7DAC149E93740CFA827A78507F3E1A9CF093F9146086CAD0

Analysis Process: powershell.exePID: 5436, Parent PID: 4900COMMON

Executed Functions

Function 00007FFD9BB96605 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2255960034.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537bb9299236b5cb746c997fc3ff047ea9b7e7684172932b36f9213c36e2f2d9
Instruction ID: 4558723f8ca225570b5faaeea5ef2212dda3ac223c94602eedbca6c4b1c908c3
Opcode Fuzzy Hash: 537bb9299236b5cb746c997fc3ff047ea9b7e7684172932b36f9213c36e2f2d9
Instruction Fuzzy Hash: 41D13631B0EA8D0FE7A5ABA888755B57BA0FF16398B0901FFD44EC70E3D918A905C351

Function 00007FFD9BACA820 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ffa876835665417cbfe706ffa8d4b58ab40d1b356aedcc081ababa7a356c27
Instruction ID: 8ceea640fc68298206a15b84e3f2026641b06dcfd39f49c438f0be6fffd69711
Opcode Fuzzy Hash: 13ffa876835665417cbfe706ffa8d4b58ab40d1b356aedcc081ababa7a356c27
Instruction Fuzzy Hash: F3514C3160EB894FE759EB28C8A58B47BE0EF56318B0501BED09DC71A7ED15B807C741

Function 00007FFD9BAC9885 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250678cb4e7ff6b93c4d96a6727829472e611d28518cd74df2caa8623072f2d8
Instruction ID: 663ec3127cc6ddc2cff8392f84224eca1b91806432041c908bda537e6969c234
Opcode Fuzzy Hash: 250678cb4e7ff6b93c4d96a6727829472e611d28518cd74df2caa8623072f2d8
Instruction Fuzzy Hash: 2641D931A1CB488FDB1D9B5CA84A6F8BBE0EB56331F00426FD04993592CB757456CBC6

Function 00007FFD9BACA49C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd2a63d1a9047eedad5a03ebd59e3291f740942d4d97bd56e92d729e035838d
Instruction ID: 1facba10bb1fbee71e74f7f76d42cb8f92a55b6cff6a81b16535603e45c08670
Opcode Fuzzy Hash: 6fd2a63d1a9047eedad5a03ebd59e3291f740942d4d97bd56e92d729e035838d
Instruction Fuzzy Hash: AB41F63190C74C8FEB19DB9CE84A7F97BE0EB96331F04816BD049C3156D6746456CB91

Function 00007FFD9B9AEB80 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2253357062.00007FFD9B9AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b9ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372ba14ff528c5c98ab61efa044ee8d62ecc5e39c23e787edfde6907554ab4cf
Instruction ID: bfd019872a30133ee3d7f2d3bc5c9a31157415f40cee0a878dd183e148e28c0e
Opcode Fuzzy Hash: 372ba14ff528c5c98ab61efa044ee8d62ecc5e39c23e787edfde6907554ab4cf
Instruction Fuzzy Hash: 7F41493140EFC85FE7668B7998559623FF0EF56320B1605EFD089CB1A3D625A806C792

Function 00007FFD9BAC97A9 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493299e7c500aaabbe033a52ac4fc9ef6a69cee9033360a77cb36aeba99e611d
Instruction ID: d7ec443b0d62feaacb30b8cbba1615e08410dcdf6b6fc0dfea927ef453a0453f
Opcode Fuzzy Hash: 493299e7c500aaabbe033a52ac4fc9ef6a69cee9033360a77cb36aeba99e611d
Instruction Fuzzy Hash: 8331933191CB4C9FDB1CDB5CA84AAA97BE0FB99721F00422FE449D3251CA71A855CBC6

Function 00007FFD9BACA085 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aadbf971b4e0fce7d17e294e56126aa849b65f2fb204a3154c1eb35601ae6f
Instruction ID: 65ab373fd90986282215191bc49e4ba578d458842c37d0b3a893c27556690b5c
Opcode Fuzzy Hash: 52aadbf971b4e0fce7d17e294e56126aa849b65f2fb204a3154c1eb35601ae6f
Instruction Fuzzy Hash: AF312832A0E68A5FD715BB6C98728F43B60EF1125AB4901F7D8AD8F0E7DD192401C6A2

Function 00007FFD9BACA589 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbf10680811aab01a4105f74087b573a30b7153491d53595ba5faf21e0af3e9
Instruction ID: b372f4f10f029a489ae111fdd4004a6be90d9b69ec49620ef3398f18f610b6d6
Opcode Fuzzy Hash: acbf10680811aab01a4105f74087b573a30b7153491d53595ba5faf21e0af3e9
Instruction Fuzzy Hash: 17115C3270C94D4FEB98EB5CA4A57B877D0EB98325F14817FD40DC36AADE65AC128B40

Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45

Function 00007FFD9BB9414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2255960034.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610a2c1c337b6a2b5e6ce660871a3aff890198621385fbcd6fb4cb43d0a5e512
Instruction ID: dff3be58d5da59a6e60055798db2b8a763098399d44f4fb6a096feb65d3e2033
Opcode Fuzzy Hash: 610a2c1c337b6a2b5e6ce660871a3aff890198621385fbcd6fb4cb43d0a5e512
Instruction Fuzzy Hash: BEF0BE32B0E5498FD769EB5CE4528A877E0FF5532871200BAE16DC71B3CA25EC40CB40

Function 00007FFD9BB94400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2255960034.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174d0747d1edbcf2830845669fb6e63bc1438e45a6cf09ab25cfc0dae960d4f8
Instruction ID: a860d4fe79d293da9877d7f2c42bc06c271fae569f7868103a6d362e6b6b5bd3
Opcode Fuzzy Hash: 174d0747d1edbcf2830845669fb6e63bc1438e45a6cf09ab25cfc0dae960d4f8
Instruction Fuzzy Hash: D1F0E232B0E5498FDB68EB5CE0618A873E0FF0532871200BAE15DC71B3DA25EC40C740

Function 00007FFD9BB941D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2255960034.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ccd41cf97bc1051b6dfc5ab65743c2271d9af8b0340f2b08a26d56b09f0b59f9
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 9AE01A31B0C8188FDA78DB4CE0519A977E1FB9832971201BBD14EC76B1CA32ED518B80

Function 00007FFD9B9AEC99 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2253357062.00007FFD9B9AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b9ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc08f6bab3a80f43efa8fb948ec838f99f194d21895d812dd10a5d685e3e69b
Instruction ID: 6129ed66d839a2a5da842c683800e3781f56912b3c0b861ceec31f6f5cc533e6
Opcode Fuzzy Hash: 3dc08f6bab3a80f43efa8fb948ec838f99f194d21895d812dd10a5d685e3e69b
Instruction Fuzzy Hash: 18F0303061ED0D9FDAA5EAA9C499D3577E1FB64300B220468D04ECB161C624F881CB41

Non-executed Functions

Function 00007FFD9BAC8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

L_^Q, xrefs: 00007FFD9BAC8C8A
L_^8, xrefs: 00007FFD9BAC8BF2
L_^N, xrefs: 00007FFD9BAC8C72
L_^Y, xrefs: 00007FFD9BAC8CBA
L_^?, xrefs: 00007FFD9BAC8C2A
L_^<, xrefs: 00007FFD9BAC8C12
L_^J, xrefs: 00007FFD9BAC8C62
L_^K, xrefs: 00007FFD9BAC8C6A

Memory Dump Source

Source File: 0000000B.00000002.2254925739.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac5000_powershell.jbxd

Similarity

API ID:
String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
API String ID: 0-1415242001
Opcode ID: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
Instruction ID: 336ad1cbfe1c429cbbc3a2013bd376653ffc9a4cad362ec817ae2c65b74884c1
Opcode Fuzzy Hash: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
Instruction Fuzzy Hash: BD21F5737045154AC31576ADBC519ED6780DF6837E34552F3F628CF153DB24A48BCA80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iLPxdpxQ3e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\DisconnectCheats

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03ekwddp.vsc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50kqlwzt.ok3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cb2lysg2.ffk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clhvavz4.fpy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctjmfczu.0id.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehpi01am.1wk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enoiwdcl.qdk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fr24e1yt.z52.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfqb5ezt.lf3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdufll5a.j1n.psm1

Windows Analysis Report
iLPxdpxQ3e.exe