Edit tour

Windows Analysis Report
UH7iNNKgPW.exe

Overview

General Information

Sample name:	UH7iNNKgPW.exe renamed because original name is a hash value
Original sample name:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7.exe
Analysis ID:	1561583
MD5:	f01ac0aa6cfa3465c7a940f9a1fac989
SHA1:	a04194eee58ce77420a4d38e0db26d1016e30df1
SHA256:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

UH7iNNKgPW.exe (PID: 4344 cmdline: "C:\Users\user\Desktop\UH7iNNKgPW.exe" MD5: F01AC0AA6CFA3465C7A940F9A1FAC989)

KUPAL.exe (PID: 6468 cmdline: "C:\Users\user\AppData\Roaming\KUPAL.exe" MD5: 836B78CBD0059751654B1E8B56F1B429)

powershell.exe (PID: 5968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ADWASl.exe (PID: 6620 cmdline: "C:\Users\user\AppData\Roaming\ADWASl.exe" MD5: AD125269D35F20666B5522166259AC39)

powershell.exe (PID: 5008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "plant-serial.gl.at.ply.gg", "147.185.221.18"], "Port": 28000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\KUPAL.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\KUPAL.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\KUPAL.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\KUPAL.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\KUPAL.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf174:$s6: VirtualBox 0xf0d2:$s8: Win32_ComputerSystem 0x10ab0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10b4d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10c62:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfe6c:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\ADWASl.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\ADWASl.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\ADWASl.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\ADWASl.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\ADWASl.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112f3:$s6: VirtualBox 0x11251:$s8: Win32_ComputerSystem 0x15674:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15711:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15826:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13aea:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2fbfb:$s6: VirtualBox 0x4ca43:$s6: VirtualBox 0x2fb59:$s8: Win32_ComputerSystem 0x4c9a1:$s8: Win32_ComputerSystem 0x33f7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x50dc4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34019:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x50e61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3412e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x50f76:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x323f2:$cnc4: POST / HTTP/1.1 0x4f23a:$cnc4: POST / HTTP/1.1
00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xef74:$s6: VirtualBox 0xeed2:$s8: Win32_ComputerSystem 0x108b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1094d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10a62:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc6c:$cnc4: POST / HTTP/1.1
00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x110f3:$s6: VirtualBox 0x11051:$s8: Win32_ComputerSystem 0x15474:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15511:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15626:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x138ea:$cnc4: POST / HTTP/1.1
Process Memory Space: UH7iNNKgPW.exe PID: 4344	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: UH7iNNKgPW.exe PID: 4344	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: KUPAL.exe PID: 6468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: KUPAL.exe PID: 6468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ADWASl.exe PID: 6620	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ADWASl.exe PID: 6620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.UH7iNNKgPW.exe.12d33750.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.UH7iNNKgPW.exe.12d33750.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UH7iNNKgPW.exe.12d33750.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf4f3:$s6: VirtualBox 0xf451:$s8: Win32_ComputerSystem 0x13874:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13911:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11cea:$cnc4: POST / HTTP/1.1
2.0.KUPAL.exe.e90000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.KUPAL.exe.e90000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.KUPAL.exe.e90000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.KUPAL.exe.e90000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf174:$s6: VirtualBox 0xf0d2:$s8: Win32_ComputerSystem 0x10ab0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10b4d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10c62:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfe6c:$cnc4: POST / HTTP/1.1
0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112f3:$s6: VirtualBox 0x11251:$s8: Win32_ComputerSystem 0x15674:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15711:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15826:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13aea:$cnc4: POST / HTTP/1.1
3.0.ADWASl.exe.680000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.ADWASl.exe.680000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.ADWASl.exe.680000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.ADWASl.exe.680000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112f3:$s6: VirtualBox 0x11251:$s8: Win32_ComputerSystem 0x15674:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15711:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15826:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13aea:$cnc4: POST / HTTP/1.1
0.2.UH7iNNKgPW.exe.12d16908.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.UH7iNNKgPW.exe.12d16908.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UH7iNNKgPW.exe.12d16908.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf4f3:$s6: VirtualBox 0xf451:$s8: Win32_ComputerSystem 0x13874:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13911:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11cea:$cnc4: POST / HTTP/1.1
0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112f3:$s6: VirtualBox 0x2e13b:$s6: VirtualBox 0x11251:$s8: Win32_ComputerSystem 0x2e099:$s8: Win32_ComputerSystem 0x15674:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x324bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15711:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x32559:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15826:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3266e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13aea:$cnc4: POST / HTTP/1.1 0x30932:$cnc4: POST / HTTP/1.1
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\KUPAL.exe" , ParentImage: C:\Users\user\AppData\Roaming\KUPAL.exe, ParentProcessId: 6468, ParentProcessName: KUPAL.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', ProcessId: 5968, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\KUPAL.exe" , ParentImage: C:\Users\user\AppData\Roaming\KUPAL.exe, ParentProcessId: 6468, ParentProcessName: KUPAL.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user', ProcessId: 6280, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\KUPAL.exe" , ParentImage: C:\Users\user\AppData\Roaming\KUPAL.exe, ParentProcessId: 6468, ParentProcessName: KUPAL.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', ProcessId: 5968, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\KUPAL.exe" , ParentImage: C:\Users\user\AppData\Roaming\KUPAL.exe, ParentProcessId: 6468, ParentProcessName: KUPAL.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe', ProcessId: 5968, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UH7iNNKgPW.exe

Avira: detected

Antivirus detection for URL or domain

Source: plant-serial.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "plant-serial.gl.at.ply.gg", "147.185.221.18"], "Port": 28000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UH7iNNKgPW.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 127.0.0.1,plant-serial.gl.at.ply.gg,147.185.221.18
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 28000
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <123456789>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <Xwormmm>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: XWorm V5.2
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: USB.exe
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: %Public%
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: system user

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: plant-serial.gl.at.ply.gg
Source: Malware configuration extractor	URLs: 147.185.221.18

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2266366897.0000018C666FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898505	4_2_00007FFD34898505
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898E05	4_2_00007FFD34898E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34892785	4_2_00007FFD34892785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34964031	4_2_00007FFD34964031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B8E05	6_2_00007FFD348B8E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B2785	6_2_00007FFD348B2785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349839D1	6_2_00007FFD349839D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349830E9	6_2_00007FFD349830E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348AB9FA	10_2_00007FFD348AB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A5EFA	10_2_00007FFD348A5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A8EFA	10_2_00007FFD348A8EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34972E11	10_2_00007FFD34972E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A25ED	14_2_00007FFD348A25ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A89F2	14_2_00007FFD348A89F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5BFA	14_2_00007FFD348A5BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5B80	14_2_00007FFD348A5B80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497332B	14_2_00007FFD3497332B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD349830E9	17_2_00007FFD349830E9

Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameADWASl.exe4 vs UH7iNNKgPW.exe

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: KUPAL.exe.0.dr, 0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.cs	Base64 encoded string: 'kNiYaE/ny3jmmYIBwtyZPjJPbuznt9OawWXkTsR9qA+BlqrnPCkdj99mEAl+sE3S'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'

Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/36@1/1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File created: C:\Users\user\AppData\Roaming\KUPAL.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Mutant created: \Sessions\1\BaseNamedObjects\mUneoSv3FUAeQ4a2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Mutant created: \Sessions\1\BaseNamedObjects\t1DChNHd6c9Qof0cr
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Mutant created: \Sessions\1\BaseNamedObjects\WEoEbM8OdImCc10z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyeksvtm.nqj.ps1

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\UH7iNNKgPW.exe "C:\Users\user\Desktop\UH7iNNKgPW.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.PhuOSqiW3h3VaUPTbztuOw8rPFphC7RomB1mumCb,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.rburoukbazQFJTDNfC5dFQImPdItBxK06mfocpdR,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.IzcbDKfDunVXRnLq4y8oBftwUo0m7N8hWKrUODe1,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.QY25jgyPTI68XbEPwIDfmWwSv1m3fYVJkwr8muqM,fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.amvGhdGvyeGb46m()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2],fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.IBAFke1hf7vKohL(Convert.FromBase64String(K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5 System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3477D2A5 pushad ; iretd	4_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD3479D2A5 pushad ; iretd	6_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3478D2A5 pushad ; iretd	10_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3478D2A5 pushad ; iretd	14_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497050C push ds; iretd	14_2_00007FFD34970522
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD34974599 push esi; iretd	14_2_00007FFD3497459A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD3479D2A5 pushad ; iretd	17_2_00007FFD3479D2A6

Source: UH7iNNKgPW.exe

Static PE information: section name: .text entropy: 7.976907442866878

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	High entropy of concatenated method names: 'kcc2xQSHauM1QBY9rMzjlcTBkAGCWoyyfCvF2SUZjWZXPK52cV', 'dzOTNA3cVBMpXaDfg5rzmjTZmt4dS9caFgGa0PLtvBEF1fkebr', 'ZNl6O22DcHNMsQ8ZXsDco1pc4sMslpqRuiy93nkIflBettZ4ZW', 'eSf8lNxXjjiRNEHXUzWVpUWbn5zIBSvbqNGB8M29dM3lpWMXoI', 'q9CSJRPC6dUbBEMuJfGJ9XRFMHgyHFZd7x1g3f8xEeJwGslFsA', 'DZ0wFBYCL7kHdcl98kePuKxn46DPKzPNQYHZ8M7srdKjJK0VZV', 'O51aNvdYfEso0A5NHeudGK8qA7UTSYzcgNfhi1FcDmXH3C78H8', 'ORpRqCYdH7KSmXezvI4XgDkDiBaIQ6N3vlrcOznK2biSS6X1hB', 'aVwWE1NtP0UcXYbI0gcqANqDkeBMMvRcgbw6kXxsHcucSadCHo', '_52hm6B4j8hFjoYu7TMy1Rw9OfdOmmr2mf4BbESrJV8M0Ao3A7W'
Source: UH7iNNKgPW.exe, 3eP2DGdEk11wbp0AUKN5845c2YWe3IJ3xPbnLQoglwkBHsdSEIIrBuaYefCbvVyX.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XumURgCgFsE0grPAJJSgEkOIP96dDAlgwtHGkPkk5muoas2M0g', 'kL84MfpWq3EaMxsTys0qTPAErcmZntZF7H26PngIGeeVoHogI7', 'Rwrdox8IdCjZQGffrHkQxVxlWehgphFooFjGDE5nmHeI5ZQkTz', 'PhfxWHoG2a9glFIjckHIEamgYUl7oguxE7C8BAk7F8ClBQ6Yaf'
Source: KUPAL.exe.0.dr, Gpb9iKg5zffq01B.cs	High entropy of concatenated method names: 'tj26o9I5F40wr4Y', 'g9urBN1GifMOIbT', 'F53hwK1CzrqodgW', 'zsI1BstG3v2F3aB', 'MNgnu1s9P4EkKqJ', 'mkZgnAgV0SBUjfs', 'Vac9ep9NXe8z8YR', 'KvTUNQvA3nvMCTS', 'IxfU6BVho15qJ77', 'yJtMXIPxedFc42J'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	High entropy of concatenated method names: 'FAE9MWrH890r1xO6c3rJ3QyAJrePJtigXS8BahQvEQigz4L2RL0bAuNvYJedPuTQ6naW87mq', 'ig3TqYk0ASC21dw3zOx59AOMeUaS8EHKFBbY1oo8HgF0j0EyZFDYRg5ZengUkgDtp99dno2q', 'IEvfen5HOU4ejarSJUQBsmEP3R6cnAB2hC1TteMUu1BTOCIdE3YRq6iSueI7QeaLSR6BEWkJ', '_91aeS2ugcrtlKkggaiGK7SjgXqBWtFwEEoJ48zyoqQnyN6Ox5qIOzJFJq1mAZgPGMM9s7BfC', '_87ZWHGckLSqCVt7ATT4vK3RhlZxWnuUEebKPQYrzLMZDR4KaLUuOCO1K1vva3HALxVIgOI9Y', '_9Izl3vWKf5PnArVqPMKqNFFcNh2d0ZkepSPixics1caTrp19yJM86vYUyZAjqY2NzaTUkiwn', 'NRwPPLEKdXSrq8q9nWmtokx1YYfEYHk1lbji7gtdaV4TbxqXKqApltbSTvCpYzFIORUsPdMS', 'NAMqH0HKPUIPbvuK9v0k6mGtdkvfJlAR0r8rZGt5RwtBGVFh43blJEKFrkRBB5sXcw1KulGT', 'N71C0Jfc03zJLXM', 'SoRqnTsWlJVtTbu'
Source: KUPAL.exe.0.dr, 4876bMPFrp0s5NsTnGrYyX9sxgDyo6GzENUbRMaPJhUGu6c7agrN3XrMZr0croeO6m60eyDl.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'BJJsVmbBiURdgRYqcymk9XSpGC8bNfIBEg7Y6rlP0wUkSbB2fbolDaMQFC4W5UVD3pYjSsW2', '_3XvbsO88QqYtOlz', 'QYjcBqEA91Wn9NP', 'ibO7hKyPlLhxvvp', 'l6POfA7zEizGDDB'
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	High entropy of concatenated method names: 'ajxNA9IEIeZUdMRw9zo5PxNNgtWjbd7AuN0Xj5l6', 'VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5', 'oHopMgoxyFGtsJpygBKHt4KELMvhjrqEMD3Iesr8', 'sguELYWfSUTizTZEZYbZRZ7DOvJFqb3fA1OTf8Jc', '_4dH0CZSaSkEdJ8vqx7xDbTYjmpMZPm3hCa52HGZ0', 'mk035X1eVVMWksu6TN23YDN4JPniJRYwDgbkITBm', '_50HOeMNQHz3bpBz91s5sbkp2w92lnKBTl2FqbgfY', '_6o4dUFbZjEQ9DLlcLtYnu2EbZ2jWfkKoG5cOfoqASfRyBpV9Gd9ypjoBs3SeiwhP2eJT0PoO', 'ymc30zQKDIU08UxHjulCeQ3ALLVRysZJnoz9n881jZvPRCphMVX8z9zJ7R8hZ5tw9JGAl39B', 'JoIf0O9RCoVmb3USI5mTtgIA1bdRsl3aUa3UGYkSWLK4KfeGne6o6V74MZfCkErBpEmIkW1p'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	High entropy of concatenated method names: 'U0dLgk0ChxirxZaPswerOa0jqJutKP0gCicxwYLO0HjdBlZaKlp0oo5SBEsH5DtjScvACpo1', 'yxK4N9wOcUGgc2a', 'j4MTwLfhpj9EdQ1', 'w59jGNhPSa3DzbR', 'QmBG9aMQV6FtGDn'
Source: KUPAL.exe.0.dr, 3TnH11XWxOsnALveVE1XZ1msmmbCCXinCcqONlW9qOTaH40UcdKj9IqqyIM1v5P1U7HB9G2c.cs	High entropy of concatenated method names: 'zzH8SloKg2lGhimXX582BaJPLMo1hgLilGMqjSNEIBxmDo0Xqb29LAXGE0cpZhfFI1tVB1NE', 'Urxn5hfvouuQEAJ2y7w6WJayoRYEW0pImW7qQSwvIJ3AgfbD3rncrn7zSghVtyQPivybRTfY', 'Ic8LDg9hw5l1nFr', 'DKrBb3vsJ7baFy5', 'O0pqir1bUInACrM', '_1QeOfPChLFTrPBx'
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	High entropy of concatenated method names: 'qN0IB9hPi1qppaApcqiAe4sFxRRXf2lwdWB5jRlC', '_6W6Mn4MWMKoh2ADkZUH6GJ8nFI8je4ScsOuqWQsB', '_9mJNru8JnXmLYAU464ogzD6GKfEAIX7ijzGdk1Zu', 'NyC7egV2CDZIO2PnP67HnDlgUbdq0fU1tqepCCu8', 'JC8P9CmdtWKznr0yT40a6lO9rentUruy3bHuW5Eg', 'cMgiRqxSpdjLu8wi517VCIrKTwotswgo8tVFWfM0', 'yUEfcwBrAnHQfElecQbpIILM5cebKPpmFmFqkSqg', 'wMYWNVuvkIYc2Ng0uND5bVt1QhCPKnPpwClG4013', 'VLhVJ67JxPKLNZCPVK0vkpBdr7upQgWOXk7n920k', '_94JgXGgLfwqFghP7us16cQkKc8OwZQCNYwV8jnTU'
Source: KUPAL.exe.0.dr, HkXYzao033NbP35qRtQbQW6x8jekKgKTu4vHnKh2pWXbYuoeuNj1OuclGLmFdsBVBJortvq9.cs	High entropy of concatenated method names: 'Z3NCxC8EL1risoSfjCoq6H6cx84q4wSeJjSr1QZhOA10Zd9dshC5MkW4SltljC7Czj69Orvo', 'E8TTJvl8skSn7IR', 'gnWhNM7nKCrNhdQ', 'aysdm2VArPZn2Uc', 'A4dorEaUx8Dmocy'
Source: KUPAL.exe.0.dr, qxoQ9YMiJuBr6MiDEt9NWsZq59Rutag64lxDptib.cs	High entropy of concatenated method names: 'GKsBJ4OtrpjAE46xmOE0XDZH12K6CGrK2cve9CzL', 'pOi7VppjhQPlAJIQu3BnfoBOkxWEbBGMvlhb9stk', 'XWlHsGSbW1VweBDx7hiEBkPTPVZpFsTjgzWsZSlI', 'zJLSQrpKZAxaVs4K1TwhAp1F5RLIj2rrXQcwIdJL', 'QkNanFLRUUeWWZyBkkBkHeK9n603V5gZOwfMBbAR', 'iEcsd0pGC8KCDggW9Vpy2S3nsqFUTZztE2ejCspW', '_9x0ZflgRVkT9CV46mLrd6d5wEFWW6UxjV8o4c4Su', 'QVvWpfiardIYoE16Asf6GWXTjkpiCxpAYpSQrJP7', 'BIg5SitBdi756eYgRR3EBA0FqRRuI0xfKAwdCRqe', 'dsssygCdLOfgq1wUglJ1PKOITppkhcV0TITRBjy5'
Source: KUPAL.exe.0.dr, 9BEedHNZIxcDjX49XFwhs1P0rCYdoBQ6YaShTeGyU745ewZHhOMEXCMUfY4SdLxTRnJbH4rK.cs	High entropy of concatenated method names: 'NvPoy7rdRbmLoPdHQXUZPr8yT9v2Svd1SecCApSr85ZEvhNKeqGOy6uxAbIj2cM3lJzsLCLo', 'RQcse28C7mbBmA8txljwnkPbSNTHYmQBrt47WtADFwZhOgD9W9I7R7mxDY8euoV9Ol6dDL3k', 'exYdNqoERwrfakSziKsUIhzZQxRFFplnM3Xr4LcWl38OZksJNIqo7o68WMYpzY9ETCxjFMmQ', 'LqrRegV703oqNNtP4pz1HufA6icgriJqm6pAFRwiNj1Dh4hKH0yTTL81jBzCPu58w95CM6O3', '_86pvVjPXZ6gw4mT', 'ewdbxl6u0aDLWkJ', 'KAsvFofzvFDBPLa', 'dRoORTbY0Nf92Yz', 'GPruLIT8mwnSmbw', 'V7YwqHfMRJ5KDmG'
Source: KUPAL.exe.0.dr, ssnftGjpcWgQRRzodzvtrlojetu5ngML6brmX2W8gMw5JGtBMg9AN9VoXrUxcsnr35Fm87Tx.cs	High entropy of concatenated method names: '_0gT5fRJEGRRWvAii8FNW0zGLtWDczWCYB2UYa7VbJqKbZCq3pyOJotvB7zPvRuBPshpT8ceh', '_5g2dT10DATTxc5OZ2PGiqE5Yo1lURBCuk9tWV7aGXZiiClr1irUsgvZrhzcYr2enmwfTcx0w', 'utTzWNXbRMM2x1wgCUt2SUbtkuVAHWJSXd8hH9ITl23LwRrfjeih7L2EiUkKQeDWzUw8QLHW', 'Uy5FgKdtHBidOE8AGQChCVEn9rfhCF42X4MuZxUw6sRb9X0hAIIGaU1x1ftBa5lOhcQjVLDv', 'e9opK80UyENWZZmMcKUSWxMMxEvvppF60jNNCx4p66UQvRUoOoTWLFFIShJwULv2HsK5S7m3', '_7aY0pIPjuj7M1KEfMhCJ1PkDV5w0CmFByLRcBfJF4qFuiOPddGM3lj0tObIL7kVVkggnqSyr', '_6UevKMEBFA08g86rLPOEVcskjPkoh4CkEIT5SZCILjVbVUs6whH49Pyo71CnH4eyHSn5QEGi', '_6Ld76HCSFLJSihqHdXGdYRiIekT75XASc7vC3t5d9KRx7Lsu9hQseBGVT1mnF0mIGYUquqLG', 'W4YDWMk6QHiMuLSXTeQd6lfXLgRBPdXfUwzrDKrMQaQ595C93Npf7gArzjvZfaV9poutRs20', '_4yChv5mMNjiUy3GxWWEkvEwpxH1N7x5MT531kr9yRuS0Pj3uhCk99r4cOI2uVJYgaAGCMhzy'
Source: KUPAL.exe.0.dr, IlOFe16vZxVhby72xUz5Tpz8of5PbmFi8DHIWlR1jvaJDTZ6JTxhgEgqQjpsAGAtPeY4CVzH.cs	High entropy of concatenated method names: '_6Eucg29H61GnFHNSTufqvszpe5v3PDcWWkI7PU6obOxCzMz5znrh70YgaafhZMhNyFbBn5RX', 'kah6rQjfcZWudIBq3QHMEGRQQ5DPCqJjqdr8C8lj0rfNg0jRblo6cCLcsAH2KARLwPyrFcFN', 'XB8yaIHz1nXgMpragf38mOJuhZxCeY5Y8CXhRGKMinf74rrkf9CKuo15Xoq0NL8BfvVBOQzm', 'nwHwtCCHWvKKHsB', 'pVTJh8o6ftGD4JP', 'rI7EKcrpuRksJWq', 'jjHfsoSL1npjMvV', 'uYfVkO1n7hYN9hK', 'An9SI6bT5JHUgLL', '_4MZFL0ePkdDgDiJ'
Source: ADWASl.exe.0.dr, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: ADWASl.exe.0.dr, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: ADWASl.exe.0.dr, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: ADWASl.exe.0.dr, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\KUPAL.exe			Jump to dropped file
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\ADWASl.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7750	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1881	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7608	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6978
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1217
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6900
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2113
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1066
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2224	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep count: 6978 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5280	Thread sleep count: 1217 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4184	Thread sleep count: 6900 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916	Thread sleep count: 2715 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 7433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1592	Thread sleep count: 2113 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2056	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 7123 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 1117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep count: 6329 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1524	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep count: 958 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vmware
Source: UH7iNNKgPW.exe, 00000000.00000002.2119347657.000000001B948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\KUPAL.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Queries volume information: C:\Users\user\Desktop\UH7iNNKgPW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Queries volume information: C:\Users\user\AppData\Roaming\KUPAL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ADWASl.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
UH7iNNKgPW.exe	55%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
UH7iNNKgPW.exe	100%	Avira	TR/Dropper.Gen
UH7iNNKgPW.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ADWASl.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\KUPAL.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\ADWASl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KUPAL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ADWASl.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Roaming\KUPAL.exe	88%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
147.185.221.18	0%	Avira URL Cloud	safe
plant-serial.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
plant-serial.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
127.0.0.1	false		high
http://ip-api.com/line/?fields=hosting	false		high
147.185.221.18	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.m	powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000004.00000002.2266366897.0000018C666FE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mic	powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.micft.cMicRosof	powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mi	powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561583
Start date and time:	2024-11-23 20:57:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	UH7iNNKgPW.exe renamed because original name is a hash value
Original Sample Name:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/36@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 61 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target UH7iNNKgPW.exe, PID 4344 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4916 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5008 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5060 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5968 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6280 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: UH7iNNKgPW.exe

Simulations

Behavior and APIs

Time	Type	Description
14:58:03	API Interceptor	136x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	JasonRAT	Browse	ip-api.com/json/?fields=11827
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	http://christians-google-sh-97m2.glide.page/dl/d0a5f4	Get hash	malicious	Unknown	Browse	208.95.112.2
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	208.95.112.1
	file.exe	Get hash	malicious	JasonRAT	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	http://christians-google-sh-97m2.glide.page/dl/d0a5f4	Get hash	malicious	Unknown	Browse	208.95.112.2
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	208.95.112.1
	file.exe	Get hash	malicious	JasonRAT	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\UH7iNNKgPW.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0laiuu5a.43r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q1o4an5.5xs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qhksazs.y2i.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rjljiwu.x1w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55pkjazo.w12.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5axlstur.qxb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfyfzqj0.3xz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3orsoly.e4g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3umcrtz.wcy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpyndwbw.qgo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3znqaiw.sbj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fezj51pd.lfs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ha4qrnbm.wdr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huvki03i.bg3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz5lerdo.ij2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5bs2wk2.svb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5h3poes.q1x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdiva3sm.osh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msa4nzto.d4u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyeksvtm.nqj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsxdcpbk.wnw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvxsy0z5.bim.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzo4arj3.2gi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdwq2z1i.jwe.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tihjq4gb.off.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmqovp4e.hxh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrioal35.3nl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyo5mbyo.2va.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vysfs1ih.zqi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbaiktln.csg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsnyxakx.03b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z23u4h5e.be3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\ADWASl.exe

Download File

Process:	C:\Users\user\Desktop\UH7iNNKgPW.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	118272
Entropy (8bit):	6.495671649318874
Encrypted:	false
SSDEEP:	3072:8w8j4M3ikm8m6rbRBCjaO4i0UUt/VJBq0TS9i:8wRMdmmbFpBi9
MD5:	AD125269D35F20666B5522166259AC39
SHA1:	CDF6E0AA20555380073CC3ADB889AA646BBEE132
SHA-256:	33A8BD9E272BE246315CA7E0B4BF76DE70B56A50B2DF7173CD581FE6B17A3BC8
SHA-512:	0BF22A355EF6B0E64DC8027A18B1C9373F3DE495D53516285E063E72170A3511870F7A1CC5EA807717E4F13E21FDF179EC10C41B341597AAB5B763AD561D9043
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.@g.................r...Z......^.... ........@.. ....................... ............@.....................................S........V........................................................................... ............... ..H............text...dq... ...r.................. ..`.rsrc....V.......X...t..............@..@.reloc..............................@..B................@.......H........j...&......&.....................................................(.....r...p. S.....(.....r...p. ~.H..s.........s.........s.........s..........r...p. ....r...p. .J...r...p.r...p.r+..p. ......((....r...p. .(T..ru..p. E/...(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(<...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r8..p. O....r...p. ....rF..p.r...p. .,...rT..p.r...p.rb..p. .O...r...p. G...*.r

C:\Users\user\AppData\Roaming\KUPAL.exe

Download File

Process:	C:\Users\user\Desktop\UH7iNNKgPW.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	6.69396948631976
Encrypted:	false
SSDEEP:	1536:tNj6tippjTXyTrnD8UtkCK+MaV4q3vb2Os6G2GOGCIh17dlzJBq0aCS9j:7fppjTCTGx5q3vb2hjO78JBq0TS9j
MD5:	836B78CBD0059751654B1E8B56F1B429
SHA1:	E0B50529BF27D8EA46DA86AD70FCFE2D6DE2D025
SHA-256:	520CEE13F03430266DAD1BD26F0B4989CF345607FE7D6C45FD69BA4804F91ACB
SHA-512:	B2164BD5942CAD9CC1B4DAF8FE76F707B015FE18F54B322BD0FFC6766DE180E72DC3C5495EBE60E251122FFE6D5127B6BF8267F0C515E91E479D922FA7B113EA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g.....................Z.......;... ...@....@.. ....................................@.................................L;..O....@...V........................................................................... ............... ..H............text........ ...................... ..`.rsrc....V...@...X..................@..@.reloc...............v..............@..B.................;......H........t..\.......&.....................................................(.....r...p. ..e...(.....r!..p. ....s.........s.........s.........s..........rA..p. .&...ra..p. \|w...r...p. .=l..r...p. ..p..r...p. .l....((....r...p. .x!..r=..p. .~Z..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(H...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r...p. E/...r...p. j....r...p.r...p. .....r...p. .O...r9..p. ....*.r

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.960686173414757
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	UH7iNNKgPW.exe
File size:	248'320 bytes
MD5:	f01ac0aa6cfa3465c7a940f9a1fac989
SHA1:	a04194eee58ce77420a4d38e0db26d1016e30df1
SHA256:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7
SHA512:	194f3beb37e62604968ca2d8a1700b7f21e22ab0e7f5362006deea42e5592c39b24e9e93577d3b573f4298f474baef7a02eedfb304c625b17647d6782b2c74be
SSDEEP:	6144:rfsrPnXZO9JRkt/u8Anq8AAEybAb5Rw1JrwEeAAWbkk:rUzXZO9JPnq8hbG5C1ahS
TLSH:	6534121FBAC56302E602577D55F26256062A9F282C712E3F94DD1392792BEECA4C3D31
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g.................v...R........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	02082c6474e20430

Static PE Info

General

Entrypoint:	0x43940e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740A0C2 [Fri Nov 22 15:18:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x393bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x4ede	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x37414	0x37600	cd5794eb5b20145856a50b352d868ece	False	0.9704518199774267	data	7.976907442866878	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x4ede	0x5000	527f1b72bc148b1e362268f6cee9e418	False	0.880078125	data	7.805899851739429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0xc	0x200	dce1c75c3b72e728ad83fff3c3d93e13	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3a130	0x4941	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9212925931850904
RT_GROUP_ICON	0x3ea74	0x14	data	0.9
RT_VERSION	0x3ea88	0x26c	data	0.4612903225806452
RT_MANIFEST	0x3ecf4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 20:58:01.017329931 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.043360949 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.143883944 CET	80	49708	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:01.144212961 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.149873018 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.170051098 CET	80	49709	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:01.170212030 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.173712969 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:01.269438982 CET	80	49708	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:01.293265104 CET	80	49709	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:02.240359068 CET	80	49708	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:02.284204960 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:02.359275103 CET	80	49709	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:02.409173965 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:51.374644041 CET	80	49709	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:51.374716997 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:58:58.104737043 CET	80	49708	208.95.112.1	192.168.2.6
Nov 23, 2024 20:58:58.104887009 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:59:42.259465933 CET	49708	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:59:42.362874985 CET	49709	80	192.168.2.6	208.95.112.1
Nov 23, 2024 20:59:42.380172014 CET	80	49708	208.95.112.1	192.168.2.6
Nov 23, 2024 20:59:42.488102913 CET	80	49709	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 20:58:00.663616896 CET	64853	53	192.168.2.6	1.1.1.1
Nov 23, 2024 20:58:00.905735970 CET	53	64853	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 20:58:00.663616896 CET	192.168.2.6	1.1.1.1	0x17c8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 20:58:00.905735970 CET	1.1.1.1	192.168.2.6	0x17c8	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	208.95.112.1	80	6468	C:\Users\user\AppData\Roaming\KUPAL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 20:58:01.149873018 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 23, 2024 20:58:02.240359068 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 19:58:01 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49709	208.95.112.1	80	6620	C:\Users\user\AppData\Roaming\ADWASl.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 20:58:01.173712969 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 23, 2024 20:58:02.359275103 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 19:58:01 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 59 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	14:57:55
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\UH7iNNKgPW.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UH7iNNKgPW.exe"
Imagebase:	0x9b0000
File size:	248'320 bytes
MD5 hash:	F01AC0AA6CFA3465C7A940F9A1FAC989
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:57:56
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\KUPAL.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\KUPAL.exe"
Imagebase:	0xe90000
File size:	96'256 bytes
MD5 hash:	836B78CBD0059751654B1E8B56F1B429
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\KUPAL.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:57:56
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\ADWASl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ADWASl.exe"
Imagebase:	0x680000
File size:	118'272 bytes
MD5 hash:	AD125269D35F20666B5522166259AC39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\ADWASl.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:58:01
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:58:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:58:02
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:58:02
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:58:13
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:58:13
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:58:15
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:58:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff799c70000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:58:43
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:58:43
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:58:47
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6320, Parent PID: 5888

General

Target ID:	20
Start time:	14:58:47
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:59:38
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:59:38
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	14:59:47
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6812, Parent PID: 5916

General

Target ID:	24
Start time:	14:59:47
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD34890D80 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD34890E38

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f9aea1d50a75d7487f2d863ad967971c57fa2e6836ade7cfad2a7d91c9e74f9a
Instruction ID: bbd23d8c5cc858527742245adcc71870fc518af1e36e7f96658f74d951876da7
Opcode Fuzzy Hash: f9aea1d50a75d7487f2d863ad967971c57fa2e6836ade7cfad2a7d91c9e74f9a
Instruction Fuzzy Hash: 4A31876284E3C25FC70397705CB64A17FB09E4722070E41DBD8C4CF5A3D51C6A9AD762

Function 00007FFD348910ED Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996394271dd86660b5eed74cd9eb64bffbe013f297a108df5734fbea11d9311c
Instruction ID: 7f39dc2c30483e97329bf8afb4266ed3efb5dbdf4b6c0c533abac989ff0fe308
Opcode Fuzzy Hash: 996394271dd86660b5eed74cd9eb64bffbe013f297a108df5734fbea11d9311c
Instruction Fuzzy Hash: 2B31A921B0DAC94FEB95A76C48A92B87BE1EF9A205B0400BBD44DC72E3DD586C45D711

Function 00007FFD348909F7 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca496da1ae3e2baa89c6643513cccff6e3d9f4d3e02c3393cfaeacd772a14f54
Instruction ID: 392e91de1ff7bb0999d789a708d731b53c057a6d8d2cc4be936d6e98029ffa45
Opcode Fuzzy Hash: ca496da1ae3e2baa89c6643513cccff6e3d9f4d3e02c3393cfaeacd772a14f54
Instruction Fuzzy Hash: AC714F30B199098FEB98EB68D4A8BAD7BE2FF55315F500269E15AD32D1CF38AC41D740

Function 00007FFD34890498 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5506149591efa750d7acdeed09cda06c5a9ac859cd99e3f851aa56653ea23326
Instruction ID: 9c6fa188ba2afb8ce4cafd114d4b2800e9c397ec35240d1f0834096afcd54d13
Opcode Fuzzy Hash: 5506149591efa750d7acdeed09cda06c5a9ac859cd99e3f851aa56653ea23326
Instruction Fuzzy Hash: 3421C831B18D4D4FEB94FB6C88A96BD77E2EF99305B04007AE40DD3693DD68AC418740

Function 00007FFD34890951 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d622b8aea020f6484411e940490acbae8dd43984cba7ae435ebccca4a3200d17
Instruction ID: 62a2a76a1946fd600da47ffe5b906053c78abbfb14271abda6c2536dd124e286
Opcode Fuzzy Hash: d622b8aea020f6484411e940490acbae8dd43984cba7ae435ebccca4a3200d17
Instruction Fuzzy Hash: 0A112371D09B484FEB05CFA8C4952DDBFF1EF5A300F01016AD144E7282DB38A8468B41

Function 00007FFD34890E71 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0a72c2e96329aabb742bfbe7a7bb9882c4488c8571a6b997e4ebb0dd51b874
Instruction ID: b780f3541e3475b93c1a066718f6991654c58ce937bd8931293dd9ee213472fa
Opcode Fuzzy Hash: 2b0a72c2e96329aabb742bfbe7a7bb9882c4488c8571a6b997e4ebb0dd51b874
Instruction Fuzzy Hash: E601F930B1DA8A4FD754E72884E55AD77D1FF8A210B501579C649C3282DE2CE8428781

Function 00007FFD348904B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4363980361e5b90753ab11ce4c69ec41d962d60ddb7f1e2a5cad1d072e2e99d
Instruction ID: 12115d8c2b6d6d896343b1e2e9ab3ff2c4392fddc785f40a3dd34df3ce91fa4b
Opcode Fuzzy Hash: c4363980361e5b90753ab11ce4c69ec41d962d60ddb7f1e2a5cad1d072e2e99d
Instruction Fuzzy Hash: C9F0C230B28A5A4FD764F76894A567D73D6FB8A700B501979D64EC3381DE2CA84287C2

Function 00007FFD348904A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7731696e37c8ac3ef5cd967c2930019909d14c5409bcc328e360c7f26168c9
Instruction ID: cb3653e9860758b9847fca3dafda9033a92175bbcc76ab04df199090adf3f5f1
Opcode Fuzzy Hash: 6b7731696e37c8ac3ef5cd967c2930019909d14c5409bcc328e360c7f26168c9
Instruction Fuzzy Hash: 7CF02220B2D95B4BD764B37C94A16BE73D6EF8A310B501979D20EC3282DE2CB84287C1

Function 00007FFD34890F3F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119664719.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_UH7iNNKgPW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5b7894a44ca869013fe5c0d478262db51f44f3928f84aad0ef64ea707c5f77
Instruction ID: 8f116ab6b4c77fa2093eae036e30f5195a11cadbbcfd0b04ab44e538c2327b31
Opcode Fuzzy Hash: 1d5b7894a44ca869013fe5c0d478262db51f44f3928f84aad0ef64ea707c5f77
Instruction Fuzzy Hash: F0E08602F1CD0A0BE79866AC28B62B867C2EB99311B415079E10DC22C3DC1D9C826241

Analysis Process: powershell.exePID: 5968, Parent PID: 6468COMMON

Executed Functions

Function 00007FFD34964031 Relevance: .8, Instructions: 762COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2277780336.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34facd20bee3170c28c465bea56e7cf8aa08a4986bc65679dad2439cb50e9ab
Instruction ID: 256bd44f5c7ac088e728d1b1a41f7b15bf2a1ef9b408ab41e97d0547ca2989bc
Opcode Fuzzy Hash: b34facd20bee3170c28c465bea56e7cf8aa08a4986bc65679dad2439cb50e9ab
Instruction Fuzzy Hash: 22322421A0E7C98FE796976848A55A43FE1EF53230B1901FFD18DCB1A7D91CAC06C366

Function 00007FFD3489A0D3 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e87a7549bb586cdfcc963e06afff813091f713baf7e23e65f7264b3c9f388e
Instruction ID: f01130a7f6357e2f7f5f756d1e9fad9258f98d3c0f42bef463be2c84e60e9cf0
Opcode Fuzzy Hash: b6e87a7549bb586cdfcc963e06afff813091f713baf7e23e65f7264b3c9f388e
Instruction Fuzzy Hash: 08115E26A0EBC44FD7539B289C790E47FB0EE53215B0E00EBD589CB0A3DA595808D792

Function 00007FFD3489A8CC Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79608df0547fb323488b2a3211728d4fc1e24ca9eede14e9ff64ac13251d4c6
Instruction ID: 68722f21091d560aeaf5abf7b68535e8a29a61cb9dc55ce4fa93672b0c9435df
Opcode Fuzzy Hash: d79608df0547fb323488b2a3211728d4fc1e24ca9eede14e9ff64ac13251d4c6
Instruction Fuzzy Hash: 6B312831A0DB8C4FEB55DBA8989A6F97BE0EF56320F04416FD049C7153DA386846C751

Function 00007FFD3477E380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2275079093.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5793284b677ca998229ed39a0af54d6a3893aa849a0cc0d98b9d40d98e3177
Instruction ID: fd66ab73af59bcc154ef9676986ee21778fd4c2805b77a523aaa0b901eaac251
Opcode Fuzzy Hash: cc5793284b677ca998229ed39a0af54d6a3893aa849a0cc0d98b9d40d98e3177
Instruction Fuzzy Hash: AA4115B140DBC48FE7568B289C959623FB0EF53314B1545EFD08CCB1A3D669B846C792

Function 00007FFD3489978F Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59bb576bf9c2a8be5e3eaf8ea060d50dd3b7042615410c979799e491bd01da6
Instruction ID: 656e4cbe11f73c85aec94e863eb6b5a8c976e538684d0ffd05c4901b29892f80
Opcode Fuzzy Hash: c59bb576bf9c2a8be5e3eaf8ea060d50dd3b7042615410c979799e491bd01da6
Instruction Fuzzy Hash: B431823091CB4C9FDB58DB5CA84A6A9BBE0FB99321F00422FE449D3251DB71A8558BC2

Function 00007FFD349640BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2277780336.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9baccc73ba77b66de5b3cdb8f7f58bbbaef2dfb757d3bfb33bd288a03f085a
Instruction ID: 282fde91c8514b38005a9e8b367c6dfea92a05a8e58a14c0975a6bb1199b2c2f
Opcode Fuzzy Hash: 6c9baccc73ba77b66de5b3cdb8f7f58bbbaef2dfb757d3bfb33bd288a03f085a
Instruction Fuzzy Hash: 3E210932B0DA978FE7A5DB9844F057466C2EF66230B4A00BED54DC71A7CD1CEC049755

Function 00007FFD349643BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2277780336.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9fa989848559c1e46cc7342487e5babbb061ed17fa2bf9d987a8ad81832650
Instruction ID: 6993cb704efd160c821995e3bf25a29f3b332be15798123d9d92687953e69409
Opcode Fuzzy Hash: 0b9fa989848559c1e46cc7342487e5babbb061ed17fa2bf9d987a8ad81832650
Instruction Fuzzy Hash: AC11E032A0E5858FE7A5D79C84B59B87BD1EF0223474800FED55DCB09ACA1DBC049365

Function 00007FFD3496681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2277780336.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db5cfb75cc300143901e218553e05cefd29ddd4f1becc73773202125aae3f72
Instruction ID: 4142992b9a7abf350f55ddb053b6a08169c48cbfd0aa72e89a6efd89a620e93c
Opcode Fuzzy Hash: 3db5cfb75cc300143901e218553e05cefd29ddd4f1becc73773202125aae3f72
Instruction Fuzzy Hash: 19110672B0D6884FEB55EAA844E41A87BD1EF56334B0840BEC54CD7097CD2DAC45C360

Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b494f2a8eb02582609de919dfa68e09b61169e8aa793a587103d3dbf1ad62de
Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
Opcode Fuzzy Hash: 4b494f2a8eb02582609de919dfa68e09b61169e8aa793a587103d3dbf1ad62de
Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41

Non-executed Functions

Function 00007FFD34898505 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD34898562
N_^, xrefs: 00007FFD34898522
N_^, xrefs: 00007FFD348985C2

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^
API String ID: 0-3932276975
Opcode ID: ae1426f045cc3a4b672d33463ea175a7cc21dc65662e1e67e35a273c0ce20e49
Instruction ID: 3a8584de9c3763bc92a81f4ec511d794c559f703c357a00d84d0dd6cf8a639cd
Opcode Fuzzy Hash: ae1426f045cc3a4b672d33463ea175a7cc21dc65662e1e67e35a273c0ce20e49
Instruction Fuzzy Hash: 27318853F1DEC35BF7A6033808B60996FD4EE5326471A15F6CA99CB0939E0C280BA642

Function 00007FFD34892785 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bef6db1f74593fce6aaca2f62275f9992c47854e572554a139e35423facce6
Instruction ID: 2e8541a7fefe8347fc8ae78f23a25e95f18aa35812b92f4256f70392997d55e2
Opcode Fuzzy Hash: a4bef6db1f74593fce6aaca2f62275f9992c47854e572554a139e35423facce6
Instruction Fuzzy Hash: 87A16067A0D7D21FE75297BC68F61E63FA0DF4322470D05FBC188DE093E929684A9261

Function 00007FFD34898E05 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbb20570f04975fa7320ec599a67764696ab8c74cfa2f3c608c147c8ac30bf3
Instruction ID: e897cd6adf243f3d0e758967220f70b16bb987c1b38029ac6b03ad1098f169d8
Opcode Fuzzy Hash: cfbb20570f04975fa7320ec599a67764696ab8c74cfa2f3c608c147c8ac30bf3
Instruction Fuzzy Hash: 52619252A1EBC35FE762873C4CBA1996FE0EF13364B0914FBCA95CB093E91D18069346

Function 00007FFD34898995 Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD34898A6A
N_^, xrefs: 00007FFD348989C9
N_^, xrefs: 00007FFD34898A2A
N_^, xrefs: 00007FFD34898AC2

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: e2aac3ffc96026da03a2cae2171f737673b35accff9ae400eaef60b5d1950994
Instruction ID: 0d8daab64f4dfa42c78a3b6c598bef0df2e9404e2343ee454a60e5c50fb47ae0
Opcode Fuzzy Hash: e2aac3ffc96026da03a2cae2171f737673b35accff9ae400eaef60b5d1950994
Instruction Fuzzy Hash: 644172A3A1EAC35FE35647285CB91996FE0EF13364B0D05F6C285CB093ED1D28469293

Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FFD34898C8A
N_^7, xrefs: 00007FFD34898C12
N_^F, xrefs: 00007FFD34898C7A
N_^4, xrefs: 00007FFD34898BFA

Memory Dump Source

Source File: 00000004.00000002.2276746749.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 48f72aece68ee30e69eb38bc87d08edce59f5d1dc8e02105639cf702198b4581
Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
Opcode Fuzzy Hash: 48f72aece68ee30e69eb38bc87d08edce59f5d1dc8e02105639cf702198b4581
Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

Analysis Process: powershell.exePID: 5008, Parent PID: 6620COMMON

Executed Functions

Function 00007FFD349839D1 Relevance: 2.7, Strings: 1, Instructions: 1470COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFD34983BD2

Memory Dump Source

Source File: 00000006.00000002.2295865392.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID: J_H
API String ID: 0-326533465
Opcode ID: 6f76a262ae8a59584c6683f79930c72a778f4d4a1202c28f89f6741afa4c123e
Instruction ID: 795e276c09b486cdfd62c3828218d033d7cca46488b54f94cb365494bee92424
Opcode Fuzzy Hash: 6f76a262ae8a59584c6683f79930c72a778f4d4a1202c28f89f6741afa4c123e
Instruction Fuzzy Hash: 1F923622B0EB894FE7A69B2C58A51B47BE1EF97210B0901FFD18DC7197D91DAC06C361

Function 00007FFD348BA0D3 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c98cd07b69dd5e1e765294737e441c1434545e99f8435beb9259edc63873dc8
Instruction ID: e0989a3a576518a37e47705e6212ff67e0eff24ea4e1d7d76e3d56bc41eb9755
Opcode Fuzzy Hash: 9c98cd07b69dd5e1e765294737e441c1434545e99f8435beb9259edc63873dc8
Instruction Fuzzy Hash: F4119E7290EBC44FD7539B3898790E47FB0EE63200B0D00EBD189CB1A3D95A5809C793

Function 00007FFD348B9758 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134ed2f7712e1b6b1cbf15d9e85e6fca3a26f1ef114ea512e4529c9ac4046a13
Instruction ID: c05c20b39f85d85ffac3c63be60cc499a4e5e7bf110b590233c42498e878b05d
Opcode Fuzzy Hash: 134ed2f7712e1b6b1cbf15d9e85e6fca3a26f1ef114ea512e4529c9ac4046a13
Instruction Fuzzy Hash: 7431FA3191CB488FDB5C9F5C98466E97BE0FB99310F04812FE449D3292DB74A816CBC2

Function 00007FFD348BA62C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbddf9fb8c720d3a2cd0efc4b02cbcac2a92e4b28b3f5e6252e11acf6dcf229d
Instruction ID: efebe40ecede5472256c599ddb753da3ac084a86e3f410a6a424820fca370dad
Opcode Fuzzy Hash: bbddf9fb8c720d3a2cd0efc4b02cbcac2a92e4b28b3f5e6252e11acf6dcf229d
Instruction Fuzzy Hash: C721F63190CB4C4FEB59DBAC984A7E97FF0EB96321F04416BD048C3152DA74A41ACB92

Function 00007FFD349840BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295865392.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53263c24040ac82525322552d55b59f1c025c2edb480b55ffb00ccb6eb5e03b7
Instruction ID: 42c149d5f38a3c4f239a0eebf909ee86da92dbd7a640cc61c7d97c8e14ab758a
Opcode Fuzzy Hash: 53263c24040ac82525322552d55b59f1c025c2edb480b55ffb00ccb6eb5e03b7
Instruction Fuzzy Hash: B121F522B0DA978FE7E9DB1C44F053466C2EF66214B4801BED24DC71ABEE1CEC049351

Function 00007FFD349843BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295865392.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2074895f28f3eb64b040bbb29c10bedfbc461e3f9abda359145fbc5d1bbe6526
Instruction ID: 7266c60099a2614fbb7585289a44ee4800b36ae6338324c5406aacfa9148277e
Opcode Fuzzy Hash: 2074895f28f3eb64b040bbb29c10bedfbc461e3f9abda359145fbc5d1bbe6526
Instruction Fuzzy Hash: 8D11CE32A0E5858FE6E4D72C84B45B8BAD1EF02224B4800BED55DC749AEA1DAC049361

Function 00007FFD3498681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295865392.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ecc2c6757e2e844a2095a42d4216eed8a9860c7628e61b48a5dd28780a5d01
Instruction ID: 69bf377857814e7b7500cf2a6edb035bfcb56e19eaa10151360835798498e59e
Opcode Fuzzy Hash: d1ecc2c6757e2e844a2095a42d4216eed8a9860c7628e61b48a5dd28780a5d01
Instruction Fuzzy Hash: BC110632B0D68C4FEBA5EA9C44E41A87BD1EF5A310F0840BEC54DDB097CD29AC45C360

Function 00007FFD348B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: deb5d86c88e8f26112380754d293aded1f7c495d532cba5f2c16f698bcc23440
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: E201A73020CB0C4FD744EF0CE051AA6B3E0FB89320F10052DE58AC3651DA36E882CB41

Non-executed Functions

Function 00007FFD348B8995 Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD348B8A6A
L_^, xrefs: 00007FFD348B89C9
L_^, xrefs: 00007FFD348B8A2A
L_^, xrefs: 00007FFD348B8AC2

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: e93b9510a156e89a593cfc6afc8774610cb4b3f1aa25b0acfc96fa9402d65e27
Instruction ID: 43111a870aa02e78a8ca084888536222af259134bf561be75c7be52f1e0e6483
Opcode Fuzzy Hash: e93b9510a156e89a593cfc6afc8774610cb4b3f1aa25b0acfc96fa9402d65e27
Instruction Fuzzy Hash: 784191A3A0E6C24FE717472958B91D97FA0EF13314B0D25F6C294CB093EE6D644A9382

Function 00007FFD348B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^4, xrefs: 00007FFD348B8BFA
L_^7, xrefs: 00007FFD348B8C12
L_^F, xrefs: 00007FFD348B8C7A
L_^J, xrefs: 00007FFD348B8C8A

Memory Dump Source

Source File: 00000006.00000002.2295202314.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 3209f7745e5385a63ddd1d6cfd6fd0dcaf95f34da8e6c148b4e64cd7787c8a63
Instruction ID: c8f5dac7c87642043c643811192ed0d3f1ce2d220aeccaec631159cc4bf272a0
Opcode Fuzzy Hash: 3209f7745e5385a63ddd1d6cfd6fd0dcaf95f34da8e6c148b4e64cd7787c8a63
Instruction Fuzzy Hash: 1A21D1B77085256ED2127BFDB8255EE3764CB9437434962B2D2989B053EA34708A8AE0

Analysis Process: powershell.exePID: 5060, Parent PID: 6468COMMON

Executed Functions

Function 00007FFD348A644D Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a9946d506ee857ebef2a55e3357164e9a48f90047e1da45eefcac0b40bbb14
Instruction ID: 50266c8cae93e4b8040f0cbf9fc946ec107cc28d7c820b3f6803ab3802c0e713
Opcode Fuzzy Hash: d9a9946d506ee857ebef2a55e3357164e9a48f90047e1da45eefcac0b40bbb14
Instruction Fuzzy Hash: 0BD1A130A18A4D8FDF94DF58C4A5AE97BE1FF69300F14416AD44DD72AACB78E841CB81

Function 00007FFD348A9CF8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27b3bc6f04e00de95cf044d649c511e95c8382846e6ddfd5af27e4ee15c5a64
Instruction ID: 45347a7a4d5571ef1679e4b814a9ad383781efe3feacd26dfe0c330fc1371350
Opcode Fuzzy Hash: c27b3bc6f04e00de95cf044d649c511e95c8382846e6ddfd5af27e4ee15c5a64
Instruction Fuzzy Hash: 8B21D462D0EBC54FD7839B384C691A4BFB0AF23240B0900FBD488CB0A3D95DD859C7A2

Function 00007FFD348AA149 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7839800d3c33a6ddf60f754fe9f874b903a799869e2f93d18e7613547b868270
Instruction ID: 203d8ba6ef65a2f3084524965d4ffe64c6e89f665a4df0a3c7e528a00e5ccefc
Opcode Fuzzy Hash: 7839800d3c33a6ddf60f754fe9f874b903a799869e2f93d18e7613547b868270
Instruction Fuzzy Hash: 73F0A071909A8C8FCB86DF2898694E47FF0FF25204B05019BE509C7061DB619918CBC2

Function 00007FFD34974073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2570098464.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c4dbb6e3713dad2047ce50d86640ddea52fc422cd992e90f0d088f7962733c
Instruction ID: f60ebadfd5a55e12609cc4febb2edc2d7c198e92b25eecbee3ed9ecc6a2cc7bd
Opcode Fuzzy Hash: e8c4dbb6e3713dad2047ce50d86640ddea52fc422cd992e90f0d088f7962733c
Instruction Fuzzy Hash: E3516D32B0DA968FEB99E61C48B15747BD1EFA6260B1840BFC18DC7197DE28EC05C351

Function 00007FFD34974370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2570098464.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695c16cfbdb52f3af065757e985170794cf238d62d2fb10fc83501020ca5e236
Instruction ID: 18e8f54f2bb0c39133d32f95958c6964fac0593f7ca6c726697e534d606dc933
Opcode Fuzzy Hash: 695c16cfbdb52f3af065757e985170794cf238d62d2fb10fc83501020ca5e236
Instruction Fuzzy Hash: 2F416A32B0DA858FEBA5D72C58A05B47BD1EF42324B0840BFC18DC7187EA18FC049391

Function 00007FFD348A9783 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bca0326d0a27f5e8dd81b41bc24c8cc60df6af4d48caeffade864004343dbf
Instruction ID: 3a8cad41ec5aaeeb44aaeb15970a6a5185df72a77682518a49132ae2f3e26a6c
Opcode Fuzzy Hash: f8bca0326d0a27f5e8dd81b41bc24c8cc60df6af4d48caeffade864004343dbf
Instruction Fuzzy Hash: FA311A3190CB884FDB599F5C9C566A97BE0FB96310F04416FE449D3252CB74A816CBC2

Function 00007FFD348AB418 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56dbeb7f59f7e4b46b52c2ee0bfb568a1f0d2946a4e276eabab16901cdc97021
Instruction ID: abd6827a0df735e2d2293395bd0dd987ddf207580faff9fd8aa3417613223546
Opcode Fuzzy Hash: 56dbeb7f59f7e4b46b52c2ee0bfb568a1f0d2946a4e276eabab16901cdc97021
Instruction Fuzzy Hash: AA21F83190CB4C8FDB58DF9C988A7E97BE0EB96330F04416FD149C3152D6745846CB91

Function 00007FFD349740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2570098464.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a97a14b2c5d835aa56b1f822b3c07d045608ca09efa0ef36010fc2b3b622d79
Instruction ID: 7c53ffbc19e2ccbe33414bfe6c5c1d6eaddc2cb07829745529db7b5dc60650c1
Opcode Fuzzy Hash: 4a97a14b2c5d835aa56b1f822b3c07d045608ca09efa0ef36010fc2b3b622d79
Instruction Fuzzy Hash: E0210922B0DA978FE7A5EB1C48F05346AC1EF66250B4981BED18DC71ABCD2CEC049351

Function 00007FFD349743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2570098464.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883c3c1cca320f4ee4479ca63cec9204d6fb979a57aa73c81f2835bdad86fdf1
Instruction ID: add2f3d0b401ec9ac29e7b2c0ce413942bce30e055945f5cbb71d01b4f85f588
Opcode Fuzzy Hash: 883c3c1cca320f4ee4479ca63cec9204d6fb979a57aa73c81f2835bdad86fdf1
Instruction Fuzzy Hash: 6611E032A0E5858FE7A4D71888B45B87BD1FF0222474940FED59DD709BCA2DBC049761

Function 00007FFD3497681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2570098464.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction ID: 1e6a667867ba038bc4d4b9665912347d75085c4fe2635d8cd83bd964cfc2246c
Opcode Fuzzy Hash: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction Fuzzy Hash: C6110672B0D6884FEB65EA9848E45E87FD1EF56320B0880BEC54CCB197CD2DAC45C320

Function 00007FFD3478EDDF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2565658662.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd3478d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction ID: 6a15ce76a759ac2ced2927855acc827a7588cccb9dff6e7a3edc34bb6a2429e7
Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction Fuzzy Hash: B0014F3161CE088F9AA4EF1DE48695237E0FB98320710065AD41DC755AD735F891CBC1

Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

Non-executed Functions

Function 00007FFD348A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^?, xrefs: 00007FFD348A8C2A
M_^K, xrefs: 00007FFD348A8C6A
M_^J, xrefs: 00007FFD348A8C62
M_^Q, xrefs: 00007FFD348A8C8A
M_^<, xrefs: 00007FFD348A8C12
M_^8, xrefs: 00007FFD348A8BF2
M_^Y, xrefs: 00007FFD348A8CBA
M_^N, xrefs: 00007FFD348A8C72

Memory Dump Source

Source File: 0000000A.00000002.2568092491.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
Instruction ID: 0d89409c9456d6fc60ab0403801a8cf6c960bb07274d0b8a9fee97d209a9d1ca
Opcode Fuzzy Hash: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
Instruction Fuzzy Hash: 5921F273B045259AC21236FCB8619D97794DF5437838A03F3E028DF193F978B48B8A80

Analysis Process: powershell.exePID: 4916, Parent PID: 6620COMMON

Executed Functions

Function 00007FFD348A644D Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d679fcbddc7338cfebc2a33dd4ae4a0a9f14d8631aceb53db7d4eff14755854a
Instruction ID: 3c3fbafc465a925e3805df4f1bca79840b509d14c181f33dbb8373cdfb71e70d
Opcode Fuzzy Hash: d679fcbddc7338cfebc2a33dd4ae4a0a9f14d8631aceb53db7d4eff14755854a
Instruction Fuzzy Hash: 14D1A130A18A4D8FDF94DF58C4A5AE97BE1FF69300F14416AD44DD72A6CB78E841CB81

Function 00007FFD348AB258 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2935f08777cb9190ae13a5d6f3a63c2f74f7525b5d76b6d2e1ca0fa6e15ac4c9
Instruction ID: de0aa445c750f5f3cfbe31dd937b177c3d4336619289f9439b98a678db9a67b8
Opcode Fuzzy Hash: 2935f08777cb9190ae13a5d6f3a63c2f74f7525b5d76b6d2e1ca0fa6e15ac4c9
Instruction Fuzzy Hash: DCB14770A1DB884FE788DF5CC8A56B5BBE1FF96310F10017ED18AC31A2DA65E846CB51

Function 00007FFD34974073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2606060086.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c4dbb6e3713dad2047ce50d86640ddea52fc422cd992e90f0d088f7962733c
Instruction ID: f60ebadfd5a55e12609cc4febb2edc2d7c198e92b25eecbee3ed9ecc6a2cc7bd
Opcode Fuzzy Hash: e8c4dbb6e3713dad2047ce50d86640ddea52fc422cd992e90f0d088f7962733c
Instruction Fuzzy Hash: E3516D32B0DA968FEB99E61C48B15747BD1EFA6260B1840BFC18DC7197DE28EC05C351

Function 00007FFD34974370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2606060086.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695c16cfbdb52f3af065757e985170794cf238d62d2fb10fc83501020ca5e236
Instruction ID: 18e8f54f2bb0c39133d32f95958c6964fac0593f7ca6c726697e534d606dc933
Opcode Fuzzy Hash: 695c16cfbdb52f3af065757e985170794cf238d62d2fb10fc83501020ca5e236
Instruction Fuzzy Hash: 2F416A32B0DA858FEBA5D72C58A05B47BD1EF42324B0840BFC18DC7187EA18FC049391

Function 00007FFD3478EB80 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2602876551.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd3478d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7010fa54c2fac1875d7d2536d6bc7d49c16803e542d883de8bbb5aa45dbccbd
Instruction ID: 1486d33eadaa612d53fa8c51a12af1e781846e4ea28bd901d9bcce0dd0da86ff
Opcode Fuzzy Hash: d7010fa54c2fac1875d7d2536d6bc7d49c16803e542d883de8bbb5aa45dbccbd
Instruction Fuzzy Hash: D241397180DBC48FE7968B2898969523FF0EF93321B1505DFD089CB1A3D629B846C793

Function 00007FFD348A9783 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8b4092560a2d10156b6733ab5ba4de67744c0e759d8a86861bc82a7afd2d1a
Instruction ID: 58b098032d282c9dae0c551db3198fee6bc6165258524f799c17bbf341c340d1
Opcode Fuzzy Hash: ad8b4092560a2d10156b6733ab5ba4de67744c0e759d8a86861bc82a7afd2d1a
Instruction Fuzzy Hash: 21311831A0CB884FDB58DF5C9C466A97BE0FB99310F04416FE449D3252CA74A816CBC2

Function 00007FFD349740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2606060086.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a97a14b2c5d835aa56b1f822b3c07d045608ca09efa0ef36010fc2b3b622d79
Instruction ID: 7c53ffbc19e2ccbe33414bfe6c5c1d6eaddc2cb07829745529db7b5dc60650c1
Opcode Fuzzy Hash: 4a97a14b2c5d835aa56b1f822b3c07d045608ca09efa0ef36010fc2b3b622d79
Instruction Fuzzy Hash: E0210922B0DA978FE7A5EB1C48F05346AC1EF66250B4981BED18DC71ABCD2CEC049351

Function 00007FFD349743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2606060086.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883c3c1cca320f4ee4479ca63cec9204d6fb979a57aa73c81f2835bdad86fdf1
Instruction ID: add2f3d0b401ec9ac29e7b2c0ce413942bce30e055945f5cbb71d01b4f85f588
Opcode Fuzzy Hash: 883c3c1cca320f4ee4479ca63cec9204d6fb979a57aa73c81f2835bdad86fdf1
Instruction Fuzzy Hash: 6611E032A0E5858FE7A4D71888B45B87BD1FF0222474940FED59DD709BCA2DBC049761

Function 00007FFD3497681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2606060086.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction ID: 1e6a667867ba038bc4d4b9665912347d75085c4fe2635d8cd83bd964cfc2246c
Opcode Fuzzy Hash: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction Fuzzy Hash: C6110672B0D6884FEB65EA9848E45E87FD1EF56320B0880BEC54CCB197CD2DAC45C320

Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

Non-executed Functions

Function 00007FFD348A89F2 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD348A8AC9
M_^, xrefs: 00007FFD348A8A7A
M_^, xrefs: 00007FFD348A8A6A
M_^, xrefs: 00007FFD348A8A12
M_^, xrefs: 00007FFD348A89F2

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^
API String ID: 0-679677686
Opcode ID: 27e2a46e9656dd1ed175aeb1a01adf761b172e709f275e23d8212fd25ef839e2
Instruction ID: 30460ef4c793bd3f70345814317bef26e094695d181ebffd853433f520654d17
Opcode Fuzzy Hash: 27e2a46e9656dd1ed175aeb1a01adf761b172e709f275e23d8212fd25ef839e2
Instruction Fuzzy Hash: AC4130A3A0E6C25BF797472948FA0957BD0EF1335474D06F6C298CB093AD5D28439277

Function 00007FFD348A8BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON

Download Yara Rule

Strings

M_^4, xrefs: 00007FFD348A8BC2
M_^U, xrefs: 00007FFD348A8C8A
M_^5, xrefs: 00007FFD348A8BC9
M_^Y, xrefs: 00007FFD348A8CAA
M_^@, xrefs: 00007FFD348A8C22
M_^N, xrefs: 00007FFD348A8C62

Memory Dump Source

Source File: 0000000E.00000002.2604413285.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^5$M_^@$M_^N$M_^U$M_^Y
API String ID: 0-3990506085
Opcode ID: 735afe5135d9e5d3c8005e5d0d7502ce7d7926ccbb87720d53f1231ee9732cee
Instruction ID: d5b04b7efdaf64b00cbfc85b78f0da6f302fd5d60375d25c00f5fc800f7e6ef2
Opcode Fuzzy Hash: 735afe5135d9e5d3c8005e5d0d7502ce7d7926ccbb87720d53f1231ee9732cee
Instruction Fuzzy Hash: 3D312767B085299BC21136FCB8615E97794DF9533678907F7D298CF083AC79708B8AD0

Analysis Process: powershell.exePID: 6280, Parent PID: 6468COMMON

Executed Functions

Function 00007FFD348B644D Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa625b38449af1b1a13de307eee5d6fb6af31bbf38883b7047d8e6be4c74137
Instruction ID: c3162ed094299cdde5f5e13ac348a1fe13fe51d29798ff1fcacee2c434a969c0
Opcode Fuzzy Hash: 5fa625b38449af1b1a13de307eee5d6fb6af31bbf38883b7047d8e6be4c74137
Instruction Fuzzy Hash: 74C18F30A08A4D8FDF95DF58C4A4AA97BE1FF69300F1441AAD449E7296CE74E881CBC1

Function 00007FFD348B9EF5 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae497badbfdee41ad6014d7c1a80d94ca7576897b159b772b837929df3ef758
Instruction ID: fee3230164822fe35ad10df0649ea4a7696511dbda31df2d73d8408896718b00
Opcode Fuzzy Hash: aae497badbfdee41ad6014d7c1a80d94ca7576897b159b772b837929df3ef758
Instruction Fuzzy Hash: 1371FC67A0D9C54FE712A76C58B60E93FA0EF13364F0C10BBC6888B153ED59651697C2

Function 00007FFD348BA808 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993adda09ae46aead4beeb70c132b6de0c5be4df2a03263d87a4393862a3a6cc
Instruction ID: 5da455f65cc6e699ced3823cadd17d6a31e2849d3b0bb1442053fc2abe6bfeef
Opcode Fuzzy Hash: 993adda09ae46aead4beeb70c132b6de0c5be4df2a03263d87a4393862a3a6cc
Instruction Fuzzy Hash: AA51347260DBC14FE70ADB2888E54A47BE0EF57318B1801BED499CB193ED5AA807C791

Function 00007FFD34984073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3113544004.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1279b8e8aad4963743c3571b86c261c8f023b07e8c963147d07f4caa806a8e04
Instruction ID: 7e866bcbae59523e22eb63311e98077c3aaed1bfc4e2ff8c0c715dc9d276eaa9
Opcode Fuzzy Hash: 1279b8e8aad4963743c3571b86c261c8f023b07e8c963147d07f4caa806a8e04
Instruction Fuzzy Hash: 66515832B0DA968FEBD9DA1C44B167577D2EFA6220B5801BEC24DC7197EE28EC058351

Function 00007FFD34984370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3113544004.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9014d768d501be3d133b9ee87645e3ba398cb0743b1f38f01f902b133c2ee3
Instruction ID: aa26270e6a64a5eb3bb941a18033f3c851d6f00445f3ff59b0ded7f8a6399a63
Opcode Fuzzy Hash: 8c9014d768d501be3d133b9ee87645e3ba398cb0743b1f38f01f902b133c2ee3
Instruction Fuzzy Hash: 8E41F432B0DA898FEBE9D76C54A15B477D1EF46224B0801BFD14DC7197E919BC048391

Function 00007FFD348B9FE0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347fff904494d95d8b118b689faf72ea80be2eaf44b403da7c7b3f0af325110f
Instruction ID: 0c70073cbd7fd6bd28293416c946fc938577617f4ded338eacfdb1ec1f3457e1
Opcode Fuzzy Hash: 347fff904494d95d8b118b689faf72ea80be2eaf44b403da7c7b3f0af325110f
Instruction Fuzzy Hash: 2541D867A0EEC18FE712A72858B50E53F90EF23354F0C10BBD6898B193ED9D650697C2

Function 00007FFD348B9738 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e97c00d11e3874b5dc85e2846f9c6b5d81161b7ea94b27aa24946378d19cb72
Instruction ID: c37b63b9bf93c99f5a65e0216200ee77849cef0161bc28f2be4ea51a31ebc8dd
Opcode Fuzzy Hash: 1e97c00d11e3874b5dc85e2846f9c6b5d81161b7ea94b27aa24946378d19cb72
Instruction Fuzzy Hash: 6F412A31A1CA498FDB58AF5C98566F97BE0FB95310F04817FE449C3292DB64A8168BC2

Function 00007FFD3479EB80 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3104655615.00007FFD3479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3479D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd3479d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9914dd1459cbcb7cfd34c64fdfdcc90ae70df4735707caa27393aa5ab2363c
Instruction ID: 2530f6b1ca32bde310c39c2648b01f7e13b80ba3b359a3322f7ecd2bc51a82a9
Opcode Fuzzy Hash: 0b9914dd1459cbcb7cfd34c64fdfdcc90ae70df4735707caa27393aa5ab2363c
Instruction Fuzzy Hash: 0541277140DBC48FE7568B289895D523FF0EF53224B1905EFD089CB1E3D629B845C792

Function 00007FFD348BA730 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4262428e6bce0771dffc6990f25f166dd3f0f2c5e9562f2016c471a3a48a92db
Instruction ID: 9131919ebc6ea58da9e381815107c21397cc97a78230f321e3bb015cb0670d2b
Opcode Fuzzy Hash: 4262428e6bce0771dffc6990f25f166dd3f0f2c5e9562f2016c471a3a48a92db
Instruction Fuzzy Hash: 4D31253190CB4C4FDB58DF9C98896E97FF0EBA6320F04416FD049C3152DA74A80ACB91

Function 00007FFD349840BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3113544004.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53263c24040ac82525322552d55b59f1c025c2edb480b55ffb00ccb6eb5e03b7
Instruction ID: 42c149d5f38a3c4f239a0eebf909ee86da92dbd7a640cc61c7d97c8e14ab758a
Opcode Fuzzy Hash: 53263c24040ac82525322552d55b59f1c025c2edb480b55ffb00ccb6eb5e03b7
Instruction Fuzzy Hash: B121F522B0DA978FE7E9DB1C44F053466C2EF66214B4801BED24DC71ABEE1CEC049351

Function 00007FFD349843BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3113544004.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2074895f28f3eb64b040bbb29c10bedfbc461e3f9abda359145fbc5d1bbe6526
Instruction ID: 7266c60099a2614fbb7585289a44ee4800b36ae6338324c5406aacfa9148277e
Opcode Fuzzy Hash: 2074895f28f3eb64b040bbb29c10bedfbc461e3f9abda359145fbc5d1bbe6526
Instruction Fuzzy Hash: 8D11CE32A0E5858FE6E4D72C84B45B8BAD1EF02224B4800BED55DC749AEA1DAC049361

Function 00007FFD3498681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3113544004.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ecc2c6757e2e844a2095a42d4216eed8a9860c7628e61b48a5dd28780a5d01
Instruction ID: 69bf377857814e7b7500cf2a6edb035bfcb56e19eaa10151360835798498e59e
Opcode Fuzzy Hash: d1ecc2c6757e2e844a2095a42d4216eed8a9860c7628e61b48a5dd28780a5d01
Instruction Fuzzy Hash: BC110632B0D68C4FEBA5EA9C44E41A87BD1EF5A310F0840BEC54DDB097CD29AC45C360

Function 00007FFD348B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: deb5d86c88e8f26112380754d293aded1f7c495d532cba5f2c16f698bcc23440
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: E201A73020CB0C4FD744EF0CE051AA6B3E0FB89320F10052DE58AC3651DA36E882CB41

Non-executed Functions

Function 00007FFD348B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^7, xrefs: 00007FFD348B8C12
L_^4, xrefs: 00007FFD348B8BFA
L_^F, xrefs: 00007FFD348B8C7A
L_^J, xrefs: 00007FFD348B8C8A

Memory Dump Source

Source File: 00000011.00000002.3109514098.00007FFD348B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b5000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
Instruction ID: c8f5dac7c87642043c643811192ed0d3f1ce2d220aeccaec631159cc4bf272a0
Opcode Fuzzy Hash: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
Instruction Fuzzy Hash: 1A21D1B77085256ED2127BFDB8255EE3764CB9437434962B2D2989B053EA34708A8AE0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UH7iNNKgPW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UH7iNNKgPW.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0laiuu5a.43r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q1o4an5.5xs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qhksazs.y2i.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rjljiwu.x1w.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55pkjazo.w12.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5axlstur.qxb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfyfzqj0.3xz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3orsoly.e4g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3umcrtz.wcy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpyndwbw.qgo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3znqaiw.sbj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fezj51pd.lfs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ha4qrnbm.wdr.ps1

Windows Analysis Report
UH7iNNKgPW.exe