Edit tour

Windows Analysis Report
SharkHack.exe

Overview

General Information

Sample name:	SharkHack.exe
Analysis ID:	1584532
MD5:	0d1c90879f6b3ca5a83de2f180046f65
SHA1:	2d9efc7befa58e744bdd93ff1c2d2a6e2f144b52
SHA256:	7d30c5701274f858ab179e726a0e86e7040f339d5e252db85f3a5638f2ef731e
Tags:	exexwormuser-aachum
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SharkHack.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\SharkHack.exe" MD5: 0D1C90879F6B3CA5A83DE2F180046F65)

powershell.exe (PID: 7556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SharkHack.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5252 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

RuntimeBroker.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: 0D1C90879F6B3CA5A83DE2F180046F65)

RuntimeBroker.exe (PID: 2720 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: 0D1C90879F6B3CA5A83DE2F180046F65)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "24.ip.gl.ply.gg"], "Port": 61472, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SharkHack.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
SharkHack.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
SharkHack.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xe0d4:$str01: $VB$Local_Port 0xe101:$str02: $VB$Local_Host 0xbbed:$str03: get_Jpeg 0xc5a7:$str04: get_ServicePack 0xf440:$str05: Select * from AntivirusProduct 0xf9d8:$str06: PCRestart 0xf9ec:$str07: shutdown.exe /f /r /t 0 0xfa9e:$str08: StopReport 0xfa74:$str09: StopDDos 0xfb76:$str10: sendPlugin 0xfd04:$str12: -ExecutionPolicy Bypass -File " 0x10186:$str13: Content-length: 5235
SharkHack.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf0e8:$s6: VirtualBox 0xf046:$s8: Win32_ComputerSystem 0x118ba:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11957:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11a6c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x100a1:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xe0d4:$str01: $VB$Local_Port 0xe101:$str02: $VB$Local_Host 0xbbed:$str03: get_Jpeg 0xc5a7:$str04: get_ServicePack 0xf440:$str05: Select * from AntivirusProduct 0xf9d8:$str06: PCRestart 0xf9ec:$str07: shutdown.exe /f /r /t 0 0xfa9e:$str08: StopReport 0xfa74:$str09: StopDDos 0xfb76:$str10: sendPlugin 0xfd04:$str12: -ExecutionPolicy Bypass -File " 0x10186:$str13: Content-length: 5235
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf0e8:$s6: VirtualBox 0xf046:$s8: Win32_ComputerSystem 0x118ba:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11957:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11a6c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x100a1:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeee8:$s6: VirtualBox 0xee46:$s8: Win32_ComputerSystem 0x116ba:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11757:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1186c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfea1:$cnc4: POST / HTTP/1.1
00000000.00000002.2751589227.00000000026BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2751589227.0000000002745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SharkHack.exe PID: 7432	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SharkHack.exe.370000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.SharkHack.exe.370000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SharkHack.exe.370000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xe0d4:$str01: $VB$Local_Port 0xe101:$str02: $VB$Local_Host 0xbbed:$str03: get_Jpeg 0xc5a7:$str04: get_ServicePack 0xf440:$str05: Select * from AntivirusProduct 0xf9d8:$str06: PCRestart 0xf9ec:$str07: shutdown.exe /f /r /t 0 0xfa9e:$str08: StopReport 0xfa74:$str09: StopDDos 0xfb76:$str10: sendPlugin 0xfd04:$str12: -ExecutionPolicy Bypass -File " 0x10186:$str13: Content-length: 5235
0.0.SharkHack.exe.370000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf0e8:$s6: VirtualBox 0xf046:$s8: Win32_ComputerSystem 0x118ba:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11957:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11a6c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x100a1:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SharkHack.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SharkHack.exe", ParentImage: C:\Users\user\Desktop\SharkHack.exe, ParentProcessId: 7432, ParentProcessName: SharkHack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', ProcessId: 7556, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , ProcessId: 7564, ProcessName: RuntimeBroker.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SharkHack.exe", ParentImage: C:\Users\user\Desktop\SharkHack.exe, ParentProcessId: 7432, ParentProcessName: SharkHack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', ProcessId: 7556, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SharkHack.exe, ProcessId: 7432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SharkHack.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SharkHack.exe", ParentImage: C:\Users\user\Desktop\SharkHack.exe, ParentProcessId: 7432, ParentProcessName: SharkHack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe', ProcessId: 7556, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:24:02.000490+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:11.300388+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:23.729235+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:32.000157+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:36.190686+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:48.138772+0100	2852870	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:24:11.308969+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:23.731789+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:36.198259+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	147.185.221.24	61472	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:24:02.000490+0100	2852874	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:32.000157+0100	2852874	1	Malware Command and Control Activity Detected	147.185.221.24	61472	192.168.2.4	49739	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:24:23.398212+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	49739	147.185.221.24	61472	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SharkHack.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: SharkHack.exe

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "24.ip.gl.ply.gg"], "Port": 61472, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: SharkHack.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SharkHack.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: SharkHack.exe	String decryptor: 127.0.0.1,24.ip.gl.ply.gg
Source: SharkHack.exe	String decryptor: 61472
Source: SharkHack.exe	String decryptor: <123456789>
Source: SharkHack.exe	String decryptor: <Xwormmm>
Source: SharkHack.exe	String decryptor:
Source: SharkHack.exe	String decryptor: USB.exe
Source: SharkHack.exe	String decryptor: %AppData%
Source: SharkHack.exe	String decryptor: RuntimeBroker.exe

Source: SharkHack.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SharkHack.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:61472 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.24:61472 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49739 -> 147.185.221.24:61472
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49739 -> 147.185.221.24:61472

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: 24.ip.gl.ply.gg

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.24 ports 61472,1,2,4,6,7

Yara detected Generic Downloader

Source: Yara match	File source: SharkHack.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 147.185.221.24:61472

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 24.ip.gl.ply.gg

Source: powershell.exe, 00000007.00000002.2008416724.000001C8FC2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000007.00000002.2008416724.000001C8FC2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000001.00000002.1776517040.000002C877A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: SharkHack.exe, 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SharkHack.exe, RuntimeBroker.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.1766805871.000002C810075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1855873236.0000019FADC65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1982934621.000001C890075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2216895438.000001AEE648C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: powershell.exe, 00000001.00000002.1747443576.000002C800229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C88022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SharkHack.exe, 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1747443576.000002C800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1747443576.000002C800229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C88022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2216895438.000001AEE6443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000001.00000002.1747443576.000002C800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1766805871.000002C810075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1855873236.0000019FADC65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1982934621.000001C890075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: 00 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: SharkHack.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: SharkHack.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7DDFA4	0_2_00007FFD9B7DDFA4
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D16E9	0_2_00007FFD9B7D16E9
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D5EB6	0_2_00007FFD9B7D5EB6
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D2181	0_2_00007FFD9B7D2181
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D6C62	0_2_00007FFD9B7D6C62
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D1EF9	0_2_00007FFD9B7D1EF9
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D10FA	0_2_00007FFD9B7D10FA
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 13_2_00007FFD9B8016E9	13_2_00007FFD9B8016E9
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 13_2_00007FFD9B800E5E	13_2_00007FFD9B800E5E
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 13_2_00007FFD9B801EF9	13_2_00007FFD9B801EF9
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 14_2_00007FFD9B7D16E9	14_2_00007FFD9B7D16E9
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 14_2_00007FFD9B7D0E5E	14_2_00007FFD9B7D0E5E
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 14_2_00007FFD9B7D1EF9	14_2_00007FFD9B7D1EF9

Source: SharkHack.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SharkHack.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: SharkHack.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SharkHack.exe, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SharkHack.exe, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SharkHack.exe, hQjUy4kbhBmQRdVtWrkycoPlGUujau0Ee0OvYZs8yhuUyHIXyg92P1PHXQlcrTKYKyOSMbwDryOBT9V.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.exe.0.dr, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.exe.0.dr, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.exe.0.dr, hQjUy4kbhBmQRdVtWrkycoPlGUujau0Ee0OvYZs8yhuUyHIXyg92P1PHXQlcrTKYKyOSMbwDryOBT9V.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: RuntimeBroker.exe.0.dr, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: RuntimeBroker.exe.0.dr, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SharkHack.exe, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SharkHack.exe, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/24@2/2

Source: C:\Users\user\Desktop\SharkHack.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Users\user\Desktop\SharkHack.exe	Mutant created: \Sessions\1\BaseNamedObjects\LnxZb33PyQIr3Xem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Users\user\Desktop\SharkHack.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SharkHack.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat""

Source: SharkHack.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SharkHack.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SharkHack.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SharkHack.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SharkHack.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\SharkHack.exe

File read: C:\Users\user\Desktop\SharkHack.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SharkHack.exe "C:\Users\user\Desktop\SharkHack.exe"
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SharkHack.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SharkHack.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3

Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\SharkHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: RuntimeBroker.lnk.0.dr

LNK file: ..\..\..\..\..\RuntimeBroker.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SharkHack.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SharkHack.exe

Static file information: File size 4048896 > 1048576

Source: SharkHack.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.ejFt281ZDoHUO8rUw4hOFkVPUufs72IuNxSqqEhzaf4mUrl,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.dy8E8yeEgzbXEh1PFsKPkmkWWeqxQ6YugOOKw2I9bwtjAsR,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.E3NZLw8N84l3x0kQej3P7Sv8gJor7UXhU3qDrXvpPzyEsAF,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.ovoGlhWeCL2xTbBCsXYE0k2yeOQiaej0YmfCI6RnSPew7qN,EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.Haq8KMwfhkFF9MhYdF8y45NEGgxSlJAQKQK2QpbVCe9aUDdInmjSLYKQeF9Oreen5R03VYfzsrR68cc()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[2],EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.qxIYyClufFUckMBVBztOzJXDv1oWwSyc97Krh6fffbzwbjllfIujUAxf1NUS5tUi08hfg49H3lpPUjv(Convert.FromBase64String(iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.ejFt281ZDoHUO8rUw4hOFkVPUufs72IuNxSqqEhzaf4mUrl,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.dy8E8yeEgzbXEh1PFsKPkmkWWeqxQ6YugOOKw2I9bwtjAsR,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.E3NZLw8N84l3x0kQej3P7Sv8gJor7UXhU3qDrXvpPzyEsAF,bmC9il1z4Egf8jalqsNOR0VhT33RlUpxFqWh1oXawwJvPbH.ovoGlhWeCL2xTbBCsXYE0k2yeOQiaej0YmfCI6RnSPew7qN,EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.Haq8KMwfhkFF9MhYdF8y45NEGgxSlJAQKQK2QpbVCe9aUDdInmjSLYKQeF9Oreen5R03VYfzsrR68cc()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[2],EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.qxIYyClufFUckMBVBztOzJXDv1oWwSyc97Krh6fffbzwbjllfIujUAxf1NUS5tUi08hfg49H3lpPUjv(Convert.FromBase64String(iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { iSA49BQGyoxkhRwyhhtA11IO8JUbYV0Ou3BF2pOlszGRjVv[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _2DSc9ACl5yHfVVTHQhLDUMCGS0XBxCtrLiodPyMzcMVpyo6 System.AppDomain.Load(byte[])
Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _0EHram4PvyDsiahOPLNd2AeRl6Asds8jUSs2wjb7In4y2jU System.AppDomain.Load(byte[])
Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _0EHram4PvyDsiahOPLNd2AeRl6Asds8jUSs2wjb7In4y2jU
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _2DSc9ACl5yHfVVTHQhLDUMCGS0XBxCtrLiodPyMzcMVpyo6 System.AppDomain.Load(byte[])
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _0EHram4PvyDsiahOPLNd2AeRl6Asds8jUSs2wjb7In4y2jU System.AppDomain.Load(byte[])
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	.Net Code: _0EHram4PvyDsiahOPLNd2AeRl6Asds8jUSs2wjb7In4y2jU

Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D814D push ebx; ret	0_2_00007FFD9B7D816A
Source: C:\Users\user\Desktop\SharkHack.exe	Code function: 0_2_00007FFD9B7D00AD pushad ; iretd	0_2_00007FFD9B7D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B6CD2A5 pushad ; iretd	1_2_00007FFD9B6CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7E2785 push ebx; retf	1_2_00007FFD9B7E290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7E28FA push ebx; retf	1_2_00007FFD9B7E290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7E00AD pushad ; iretd	1_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8B2316 push 8B485F93h; iretd	1_2_00007FFD9B8B231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B6CD2A5 pushad ; iretd	4_2_00007FFD9B6CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B7E00AD pushad ; iretd	4_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8B2316 push 8B485F93h; iretd	4_2_00007FFD9B8B231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B6DD2A5 pushad ; iretd	7_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B7F00AD pushad ; iretd	7_2_00007FFD9B7F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8C2316 push 8B485F92h; iretd	7_2_00007FFD9B8C231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8C1AC8 push es; retf	7_2_00007FFD9B8C1AC9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B6ED2A5 pushad ; iretd	11_2_00007FFD9B6ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B8000AD pushad ; iretd	11_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B8D2316 push 8B485F91h; iretd	11_2_00007FFD9B8D231B
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 13_2_00007FFD9B8000AD pushad ; iretd	13_2_00007FFD9B8000C1
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 14_2_00007FFD9B7D00AD pushad ; iretd	14_2_00007FFD9B7D00C1

Source: SharkHack.exe, SKz5CXCMT99WQyfEYtdOuWwi3cnhQGQxrz4y3Fk0kwdUI2DhD3MFUYvjNKOBIGCm5gDh22T2kmBFy0P.cs	High entropy of concatenated method names: 'yjIfwuptEhue6Gu0FDeSkK4fLTuiHMfAZ386npm1jR8XrWIxM6raecNJNetbpVhqDWhWu7Ja0ddqQ0k', 'dX7381BWVAeoi8mFV5kRA', 'q6TsvUEh3HnjG2zOvZrEZ', 'FODvGRrnBpQoZf4INyOocEB1e7kCoxihFfLfrln', 'i7oB5GRXIRuJqIzcIxl8w1fqQLIt4KmEUBqu0pP', '_0BTRTE4tGHpDH5ozKtUGOvEXIM7dXelc17g36Ln', 'JhwV7iXnA4ZTWevegFp211LKTAkQfxRioXEzaw2', 'ue7cUpZWBPwm5bf0SfHBtj0Qc79YNs9vocjhBj7', 'LIZjxtXVcRQr7qRaeTJMsf04TALYmgIGbNMuRXu', 'HEn2ZWb1Xlb7yVMz9X9BO5X1u8Jb0XsSsSjiIXV'
Source: SharkHack.exe, rNXCiXMGl47rogJj5tDpOUeBLj4PIePEqS8eN0arIJ4200sJv3gsZQQc39iqh.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KI4mOCU1XwDoqCkTH9Nry', '_1PzbyRaqw2iVbtk8HuLi3', 'nIrjlwQw641dIsmASWSX0', 'OzsNoSfdm2epRfI3cBbNd'
Source: SharkHack.exe, 4OQ2Ta2NWVEi3XX53q0pTVUA28wfsXvp2B5MTuScE5QBBrI.cs	High entropy of concatenated method names: 'Qfcr8fvuYllYHbgxLn1Yn2zztm4vzhMpu5W6ZUynURH1MQj', 'HFydv6ls4mD1VP5Ub56grFmkm7bjj4OAUJ8D4LNIhYPvDnYK2UX11QIxzohcfMnIBtVBG0uoCnUFEAkW5Lki7g1kw1ViHUYLr', 'A8YqC5JfNqmTVyBv66vBNAq6sXZl60IbTss4LHUtiPPAJtCLHSfoLqaiN3ttdSNhs3ZM6X4uW9TYPxSnocARfi7TFLl6xofQq', 'DDssjVz7tiGwuQHs9MhcBoYfY82zkvjg7nb5gbY98vQVYRBvzKo4z3XV9LF981Ro2Y8cBLafsZ9cs4JzjhP9q8AMVIFpy1sip', '_920tf7HvllYQKc9Ho0g4CmJktuI1pdc30w51dp5tgtvZ88wj26ogPzqjwBv0TkcYJhMxHM1xOGMMYylnUano4iMQpDpvPWXwE'
Source: SharkHack.exe, uBQJk1Nf3LsTO2ZGdhlRaiwbggzgn9xSox0Fzg3JUhyVryz.cs	High entropy of concatenated method names: 's9rR0xnNoQwmxKRYKXAmFQDhBU1IiU3zojCplTbJS29fRDb', 'dlqVbIyaFrNdcN9BdHBeZxKsAhh3AOssxq6eJnHiWebCBM8', 'rLJVpdIFz9bgyv1iC9C9S2zqQDOVDCWx71pISFl8gpDaGe3', '_2pnY0uDZ6ejxzSsqX0iVq9IzLZmP9sAyc5DqBziq3zDTs3d', 'SLAfxT1MxS56XrHQnxYdoqpCo5IavWNDwuUrU0JInct6E1t', 'xECM8CfJiCbihUoCI0asG01iF6Rn0TbPMKRKbca5UjYSHj3', 'WqWBSesZfF5ztbivpkZRyfZ7jzA1kJ5Z3xO00BHT9XaYMCg', '_0j49jmtgcOYYT01F7HZpXmDHTFyv4FwMs6vQXE250NbyEQ1', 'aRIrBqvRX3fsLm1zWL1fSDdiOPfc6R4QdWjBSZ7WQiWhoWWB6TsyNmvDGoF2UajxldaxSfUgWG8XhHI', '_4WclHXfM8ZoQQ4nVnD8QEjhv667Ja6DZ68gfXypfMZaZQ1PBiYKJlHie3XlnAWNNxDwl9ZRn6u24VhH'
Source: SharkHack.exe, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	High entropy of concatenated method names: '_4M9kdrvrgcZoWw8i094T5RCytQbqcMDWiedCRBzBzpjKPSIJ6A8YaxFTkYbgSWZ9emhSbePbCnCcNph', 'G49fkDZidTcQcM7mFO7ftqTw9od2707GHmvlI7srbs9zvyHhcTHr4FwsDsS35Hf1BsgnSEDGlksqNli', 'zcl2swGUdzoyk0b92Je2xJjShhFT6H0ZoRjE3HZIkKbHj3KgqDZTsXH1RLo6Rlsxh4sLpuFkWwgNgXo', 'Lew2w02jhN5dQlaAYlxR7sYT3PASE2yyMlI79hSncqg7SrZrRWHMHwH94E5c0ZUtmcehxubwJw4S463', '_8rt2gr63YAPfhXwwmkfAIe5MwtPsJ2g1Br9Cdshs0RfnQ0xBoH8I8kMCQO7jpQna62eWRHQMIlpLpUb', 'UhwUc1ynTzKrcNH03sYMVAlfBNL24eHhdvm6gENt2vjVAfccxRA1XEmNacS7NEfHX98zJJW5Fdrzik9', 'c8JO9mEEPaylF8sjxbXRoGcAN4O8awcZHYfNCmEmEBu5fzZrfIuunie3JKnRwlxS4sIkxA2yR4uPixD', '_7qzm73VPDVLirLkqzEqamsL1K4w7iA3LJawVojxbG7oF4jnXRR3EtvmCJOvmKjUGzVEoIEBdNHHkEX0', 'UdhG5WvtrBRJ8zK3XC31ywTb2JPS1SU95lLWlpC5iq6KgaDlzryQGvzbULjQskV9f7GhBdcDRHPB24R', 'C80Vq2IAxsjNpRdXcwtw8RXelrBstpfw4ZfJeL2zxKxyg9lpdnFbTmGo9iO4JqArlyJ9WUTn4ZY2OrC'
Source: SharkHack.exe, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	High entropy of concatenated method names: 'AY9sAovfFmlVnoHPZK4pkM21oluO6rnNUPgqjexn8t0AK5l', '_2DSc9ACl5yHfVVTHQhLDUMCGS0XBxCtrLiodPyMzcMVpyo6', 'eFDfO4QNfxtD6ZMd2lCgqdr48lxpmf5mHXCOQz7XoIv8XfG', 'K8JrFCtNWi1fwxdwxA5U73jW4rysTdBgbbbcQmDl4gfBMaI', 'Ny1OuK9uqQtf6boACb7z9oiANdrn7MwTjPNGfWcMc8Ifgpf', 'V7vJrifrxuWX5QFzOo2DZJE0rqLKPmVRtFIT82fUaPFrnaj', 'MzjQ7tFJU8ZtQowBISmxC0whUoz1nrt9gsTZkzr8vDqnVEz', 'uv3V8l4Az3kJWw9GGtdG1Ke98dfWtGZwXJ7K0FkZry3bh4V', 'E9W3I9l74vEWGKJmhARqdeFn7LoygdY8lfJ0tvEiB9G2KNV', '_52G2vyz1mcWcOvi4wO3KKg9X9UwuJR8PZlbhr8Ggit6e39Z'
Source: SharkHack.exe, xYwHoRcCiTpXh6hGLJJX5IzMRsvrtaa6nHlraHertYDV0wU.cs	High entropy of concatenated method names: 'jgUoFCkqjfRfpwkdOziHlMMQBPXEKS4tZdbr8qr0xZrsZkd', 'gxJrY2hE5Sco5fFKm0dHgWovMJdN2EJfhG9pIUjdCecCjjd', 'vBWErCSobLYNumde9zj9PlY0jrnqrAwYFyVkwJ7aOxXHHrk', 'DQPPTtisbbdjzMW0XNoweHm31d36UYPBPwpsMiE0SV7nyhV', 'MV1RXDGSFCZGB07L337azkReK0dSlBugM57EWCuR1h3OGoh', 'tT2Al7qkckqgCmtgpXRyrBfXsgsnWTFyGINr96OyUCsKo8l', 'beWGnSumvBo33B5P5IJ4ivRkoXj4qiT8aMEgxGPAfB2RRzh', 'KteXpAJlxeVpLBHpS7vYblvtWuB73AiKENXpYCfznljlmPf', 'gGWs9b1qqbahzAtbmh8x1o21qPiRwfyD8EQt1Uc2JEAz94L', 'n6d8HwaDzJTsT2KePV7r5T7hD7oor6QKjJtYb3TbVJSXcXs'
Source: SharkHack.exe, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	High entropy of concatenated method names: 'kEmwfxsPDK0kzwceTl3J22Hb21rK4FrvrLAjy9bsUk4MIOk', 'lXMgEo74tUXufbmU74xFmoGNCDoJVHbSNzhxj0KWgvyZQI6', 'QYeSuxErJXDp8vhJVdIcZfEm3VIbDZv3IdDa4Bf7SQPVHCB', 'OBUhtxDVKLFIRrqdYEClWf0MhZxLy3LQChu5pU4bYpJ3eKh', 'diAu8pw2Kz1KxszfW9lfokMrgZHFFEPipjGEk5jC1mW6S6b', 'ifCVKzollItpZgVOZXZxEGYxaZuJnaeu8075YrOlHvvCiEo', 'ISGair7GUw2jqZs608b8LxADHMrV8QT5mnXchGFYlF6K8b5', '_50SZdifHF8WkP3HKeLRKjtw7tseKEsoNGIdwCug3xw6RNrS', 'bD3HB1N6TJvLBQgCtCH2UcgiKtIGYwue6DwIvHIU4KVjl5g', 'J4BmX3rwYAkpvB0mqTHyGZ7AA6Avpf0txqr9d58dbynwdNx'
Source: SharkHack.exe, VbZf7pWxoMFRAIXJaewPgs8xCHPW520ovh0tzokPuR6TWAoURAXwUTUnINBFGDNoty2tusXxc2kKXYp.cs	High entropy of concatenated method names: 'goyHKqF47daVYJxFih7ca0MPzprm22BtwNn2pb0SuYx4e72y0Bhq0exQBExOr3ws502duvce5183kPN', 's5ZDhOyTHvopbBCjq1eKGaOmM4LNU5ImuUUvROmhHYxFSMafifuaWZkMmD8sMSRgcp4jfXtynC3HbJj', 'ArJQEhzioGBUhbYOyW1DYNqmCxTulA9gnLhG25rAm339Ecv9rDYdvZCO1weDTJTHXjWn8AavKCoBy2X', 'YotpBj3dZveqcY8SwdRVlfq9cVMYuLDJLu3nP5GrMTT9V5WkfPe5lZapGpxLAEKQ5h7wmZSM2Z1eqn4', 'cQmO6f0jxzgFUS2gu9FPJJ6Guem58RRrGbRJHXEESiZA0Gaa28LWeMXchbgXUouY984UqZ2g5stHsJgDRGVr1Sdm7DFCK525H', 'StReneRqL6VzB2vHMakcf9IElBRoBtXS2vMNOPUsPcVOo6j6vIHPE7UxmSzw5qUq33inDgZNXsK25zBU8MY3myBKGtaEShei7', 'SWYJzI18jgn3nTq6M5RUUAahsMcDbOcXY5BDZfG8WBsACYXnyOTyGWbYbbK2lKMPLhFbA4JORR97haXcJQRGwSJRI6BM1ODOU', 'k770w2yamks7EO3Dtn3jsfQ7a0vBRvFj4jUK32CO6Sh7aBKTzlhkqT4v6wvjrdgibAHa0yvLWzPQESKvtzbQvKt2TuBgkjH2u', 'Pk6mugdGpKXzQMWOnl7B37tB6zxD00WcjvTwsbkF8ttCCG58S9ETfjNuvEMJ8XuOOrERPuDY5iZupzhQcgcHmUxNnEygLf1X8', '_8Zp8mcSK5D57GuRtFIq5KfjX61DnmfNvZvO8sxkiKtRvstFmYpQRoeW4BaYzgdW4Jb455wfxp0NwyPM5BOsE85qjzZysSs4PJ'
Source: SharkHack.exe, hQjUy4kbhBmQRdVtWrkycoPlGUujau0Ee0OvYZs8yhuUyHIXyg92P1PHXQlcrTKYKyOSMbwDryOBT9V.cs	High entropy of concatenated method names: 'ciDEMcw56Cej0ffMmwnxdKtOTtl6YFngfbkAH5GQvpcAWJPSfqMXtsEaevE8sT6VzLTYyIL86Y0euhH', 'zR6PUdzZAO2A1z7t5ChZXc3rlrqGgdMA3qCT06rtZC20kidfab42wulAonpp5BNi8Pwwb49YKSFPpxzaE4Ma3vyGgOKdHB5Se', 'zdfHM5AmxT20GAWJ7ybtxXK8KwcKFoZHz6bP4V5ktSZ7bs2sJxeQ6EC7NXyVdoYED3bquHiPHw1AGz08Nrl8YNymkEbPHA5qF', 'Jb4QA3SVGMf8UlncQgjJRdUer3zUzszpAMgzOsoLoAkn3gJV0ftT93Az5ksJFvRCdZC9SnsQgSvFdkAsK1i1tcf8Xuy52ANtl', 'n7mLzMkcbWTUvZUDDMwb3oKcHT0ftRwqmWNmMJAuzC5Qvgox1bCzOZGeAC1HXWzyYT94EE9R22LiJb4BrnXdbi04QW4YGTkXV'
Source: RuntimeBroker.exe.0.dr, SKz5CXCMT99WQyfEYtdOuWwi3cnhQGQxrz4y3Fk0kwdUI2DhD3MFUYvjNKOBIGCm5gDh22T2kmBFy0P.cs	High entropy of concatenated method names: 'yjIfwuptEhue6Gu0FDeSkK4fLTuiHMfAZ386npm1jR8XrWIxM6raecNJNetbpVhqDWhWu7Ja0ddqQ0k', 'dX7381BWVAeoi8mFV5kRA', 'q6TsvUEh3HnjG2zOvZrEZ', 'FODvGRrnBpQoZf4INyOocEB1e7kCoxihFfLfrln', 'i7oB5GRXIRuJqIzcIxl8w1fqQLIt4KmEUBqu0pP', '_0BTRTE4tGHpDH5ozKtUGOvEXIM7dXelc17g36Ln', 'JhwV7iXnA4ZTWevegFp211LKTAkQfxRioXEzaw2', 'ue7cUpZWBPwm5bf0SfHBtj0Qc79YNs9vocjhBj7', 'LIZjxtXVcRQr7qRaeTJMsf04TALYmgIGbNMuRXu', 'HEn2ZWb1Xlb7yVMz9X9BO5X1u8Jb0XsSsSjiIXV'
Source: RuntimeBroker.exe.0.dr, rNXCiXMGl47rogJj5tDpOUeBLj4PIePEqS8eN0arIJ4200sJv3gsZQQc39iqh.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KI4mOCU1XwDoqCkTH9Nry', '_1PzbyRaqw2iVbtk8HuLi3', 'nIrjlwQw641dIsmASWSX0', 'OzsNoSfdm2epRfI3cBbNd'
Source: RuntimeBroker.exe.0.dr, 4OQ2Ta2NWVEi3XX53q0pTVUA28wfsXvp2B5MTuScE5QBBrI.cs	High entropy of concatenated method names: 'Qfcr8fvuYllYHbgxLn1Yn2zztm4vzhMpu5W6ZUynURH1MQj', 'HFydv6ls4mD1VP5Ub56grFmkm7bjj4OAUJ8D4LNIhYPvDnYK2UX11QIxzohcfMnIBtVBG0uoCnUFEAkW5Lki7g1kw1ViHUYLr', 'A8YqC5JfNqmTVyBv66vBNAq6sXZl60IbTss4LHUtiPPAJtCLHSfoLqaiN3ttdSNhs3ZM6X4uW9TYPxSnocARfi7TFLl6xofQq', 'DDssjVz7tiGwuQHs9MhcBoYfY82zkvjg7nb5gbY98vQVYRBvzKo4z3XV9LF981Ro2Y8cBLafsZ9cs4JzjhP9q8AMVIFpy1sip', '_920tf7HvllYQKc9Ho0g4CmJktuI1pdc30w51dp5tgtvZ88wj26ogPzqjwBv0TkcYJhMxHM1xOGMMYylnUano4iMQpDpvPWXwE'
Source: RuntimeBroker.exe.0.dr, uBQJk1Nf3LsTO2ZGdhlRaiwbggzgn9xSox0Fzg3JUhyVryz.cs	High entropy of concatenated method names: 's9rR0xnNoQwmxKRYKXAmFQDhBU1IiU3zojCplTbJS29fRDb', 'dlqVbIyaFrNdcN9BdHBeZxKsAhh3AOssxq6eJnHiWebCBM8', 'rLJVpdIFz9bgyv1iC9C9S2zqQDOVDCWx71pISFl8gpDaGe3', '_2pnY0uDZ6ejxzSsqX0iVq9IzLZmP9sAyc5DqBziq3zDTs3d', 'SLAfxT1MxS56XrHQnxYdoqpCo5IavWNDwuUrU0JInct6E1t', 'xECM8CfJiCbihUoCI0asG01iF6Rn0TbPMKRKbca5UjYSHj3', 'WqWBSesZfF5ztbivpkZRyfZ7jzA1kJ5Z3xO00BHT9XaYMCg', '_0j49jmtgcOYYT01F7HZpXmDHTFyv4FwMs6vQXE250NbyEQ1', 'aRIrBqvRX3fsLm1zWL1fSDdiOPfc6R4QdWjBSZ7WQiWhoWWB6TsyNmvDGoF2UajxldaxSfUgWG8XhHI', '_4WclHXfM8ZoQQ4nVnD8QEjhv667Ja6DZ68gfXypfMZaZQ1PBiYKJlHie3XlnAWNNxDwl9ZRn6u24VhH'
Source: RuntimeBroker.exe.0.dr, EaDgd1zV3hASIEwXtjFNbawssMBiYSLan3LMYcaCCMrXvA7FKexK57GMULGDGNoKVeMxQ5IvhPsAMqW.cs	High entropy of concatenated method names: '_4M9kdrvrgcZoWw8i094T5RCytQbqcMDWiedCRBzBzpjKPSIJ6A8YaxFTkYbgSWZ9emhSbePbCnCcNph', 'G49fkDZidTcQcM7mFO7ftqTw9od2707GHmvlI7srbs9zvyHhcTHr4FwsDsS35Hf1BsgnSEDGlksqNli', 'zcl2swGUdzoyk0b92Je2xJjShhFT6H0ZoRjE3HZIkKbHj3KgqDZTsXH1RLo6Rlsxh4sLpuFkWwgNgXo', 'Lew2w02jhN5dQlaAYlxR7sYT3PASE2yyMlI79hSncqg7SrZrRWHMHwH94E5c0ZUtmcehxubwJw4S463', '_8rt2gr63YAPfhXwwmkfAIe5MwtPsJ2g1Br9Cdshs0RfnQ0xBoH8I8kMCQO7jpQna62eWRHQMIlpLpUb', 'UhwUc1ynTzKrcNH03sYMVAlfBNL24eHhdvm6gENt2vjVAfccxRA1XEmNacS7NEfHX98zJJW5Fdrzik9', 'c8JO9mEEPaylF8sjxbXRoGcAN4O8awcZHYfNCmEmEBu5fzZrfIuunie3JKnRwlxS4sIkxA2yR4uPixD', '_7qzm73VPDVLirLkqzEqamsL1K4w7iA3LJawVojxbG7oF4jnXRR3EtvmCJOvmKjUGzVEoIEBdNHHkEX0', 'UdhG5WvtrBRJ8zK3XC31ywTb2JPS1SU95lLWlpC5iq6KgaDlzryQGvzbULjQskV9f7GhBdcDRHPB24R', 'C80Vq2IAxsjNpRdXcwtw8RXelrBstpfw4ZfJeL2zxKxyg9lpdnFbTmGo9iO4JqArlyJ9WUTn4ZY2OrC'
Source: RuntimeBroker.exe.0.dr, 1mXHNTxntaVHAy0fJYXeAgb5gsAFVHxOJ7qVWqASfOy36v6.cs	High entropy of concatenated method names: 'AY9sAovfFmlVnoHPZK4pkM21oluO6rnNUPgqjexn8t0AK5l', '_2DSc9ACl5yHfVVTHQhLDUMCGS0XBxCtrLiodPyMzcMVpyo6', 'eFDfO4QNfxtD6ZMd2lCgqdr48lxpmf5mHXCOQz7XoIv8XfG', 'K8JrFCtNWi1fwxdwxA5U73jW4rysTdBgbbbcQmDl4gfBMaI', 'Ny1OuK9uqQtf6boACb7z9oiANdrn7MwTjPNGfWcMc8Ifgpf', 'V7vJrifrxuWX5QFzOo2DZJE0rqLKPmVRtFIT82fUaPFrnaj', 'MzjQ7tFJU8ZtQowBISmxC0whUoz1nrt9gsTZkzr8vDqnVEz', 'uv3V8l4Az3kJWw9GGtdG1Ke98dfWtGZwXJ7K0FkZry3bh4V', 'E9W3I9l74vEWGKJmhARqdeFn7LoygdY8lfJ0tvEiB9G2KNV', '_52G2vyz1mcWcOvi4wO3KKg9X9UwuJR8PZlbhr8Ggit6e39Z'
Source: RuntimeBroker.exe.0.dr, xYwHoRcCiTpXh6hGLJJX5IzMRsvrtaa6nHlraHertYDV0wU.cs	High entropy of concatenated method names: 'jgUoFCkqjfRfpwkdOziHlMMQBPXEKS4tZdbr8qr0xZrsZkd', 'gxJrY2hE5Sco5fFKm0dHgWovMJdN2EJfhG9pIUjdCecCjjd', 'vBWErCSobLYNumde9zj9PlY0jrnqrAwYFyVkwJ7aOxXHHrk', 'DQPPTtisbbdjzMW0XNoweHm31d36UYPBPwpsMiE0SV7nyhV', 'MV1RXDGSFCZGB07L337azkReK0dSlBugM57EWCuR1h3OGoh', 'tT2Al7qkckqgCmtgpXRyrBfXsgsnWTFyGINr96OyUCsKo8l', 'beWGnSumvBo33B5P5IJ4ivRkoXj4qiT8aMEgxGPAfB2RRzh', 'KteXpAJlxeVpLBHpS7vYblvtWuB73AiKENXpYCfznljlmPf', 'gGWs9b1qqbahzAtbmh8x1o21qPiRwfyD8EQt1Uc2JEAz94L', 'n6d8HwaDzJTsT2KePV7r5T7hD7oor6QKjJtYb3TbVJSXcXs'
Source: RuntimeBroker.exe.0.dr, wXxEcDf02H7HY9q7sdGId9O2k8RLiZadGsANkHpvrGcZ74j.cs	High entropy of concatenated method names: 'kEmwfxsPDK0kzwceTl3J22Hb21rK4FrvrLAjy9bsUk4MIOk', 'lXMgEo74tUXufbmU74xFmoGNCDoJVHbSNzhxj0KWgvyZQI6', 'QYeSuxErJXDp8vhJVdIcZfEm3VIbDZv3IdDa4Bf7SQPVHCB', 'OBUhtxDVKLFIRrqdYEClWf0MhZxLy3LQChu5pU4bYpJ3eKh', 'diAu8pw2Kz1KxszfW9lfokMrgZHFFEPipjGEk5jC1mW6S6b', 'ifCVKzollItpZgVOZXZxEGYxaZuJnaeu8075YrOlHvvCiEo', 'ISGair7GUw2jqZs608b8LxADHMrV8QT5mnXchGFYlF6K8b5', '_50SZdifHF8WkP3HKeLRKjtw7tseKEsoNGIdwCug3xw6RNrS', 'bD3HB1N6TJvLBQgCtCH2UcgiKtIGYwue6DwIvHIU4KVjl5g', 'J4BmX3rwYAkpvB0mqTHyGZ7AA6Avpf0txqr9d58dbynwdNx'
Source: RuntimeBroker.exe.0.dr, VbZf7pWxoMFRAIXJaewPgs8xCHPW520ovh0tzokPuR6TWAoURAXwUTUnINBFGDNoty2tusXxc2kKXYp.cs	High entropy of concatenated method names: 'goyHKqF47daVYJxFih7ca0MPzprm22BtwNn2pb0SuYx4e72y0Bhq0exQBExOr3ws502duvce5183kPN', 's5ZDhOyTHvopbBCjq1eKGaOmM4LNU5ImuUUvROmhHYxFSMafifuaWZkMmD8sMSRgcp4jfXtynC3HbJj', 'ArJQEhzioGBUhbYOyW1DYNqmCxTulA9gnLhG25rAm339Ecv9rDYdvZCO1weDTJTHXjWn8AavKCoBy2X', 'YotpBj3dZveqcY8SwdRVlfq9cVMYuLDJLu3nP5GrMTT9V5WkfPe5lZapGpxLAEKQ5h7wmZSM2Z1eqn4', 'cQmO6f0jxzgFUS2gu9FPJJ6Guem58RRrGbRJHXEESiZA0Gaa28LWeMXchbgXUouY984UqZ2g5stHsJgDRGVr1Sdm7DFCK525H', 'StReneRqL6VzB2vHMakcf9IElBRoBtXS2vMNOPUsPcVOo6j6vIHPE7UxmSzw5qUq33inDgZNXsK25zBU8MY3myBKGtaEShei7', 'SWYJzI18jgn3nTq6M5RUUAahsMcDbOcXY5BDZfG8WBsACYXnyOTyGWbYbbK2lKMPLhFbA4JORR97haXcJQRGwSJRI6BM1ODOU', 'k770w2yamks7EO3Dtn3jsfQ7a0vBRvFj4jUK32CO6Sh7aBKTzlhkqT4v6wvjrdgibAHa0yvLWzPQESKvtzbQvKt2TuBgkjH2u', 'Pk6mugdGpKXzQMWOnl7B37tB6zxD00WcjvTwsbkF8ttCCG58S9ETfjNuvEMJ8XuOOrERPuDY5iZupzhQcgcHmUxNnEygLf1X8', '_8Zp8mcSK5D57GuRtFIq5KfjX61DnmfNvZvO8sxkiKtRvstFmYpQRoeW4BaYzgdW4Jb455wfxp0NwyPM5BOsE85qjzZysSs4PJ'
Source: RuntimeBroker.exe.0.dr, hQjUy4kbhBmQRdVtWrkycoPlGUujau0Ee0OvYZs8yhuUyHIXyg92P1PHXQlcrTKYKyOSMbwDryOBT9V.cs	High entropy of concatenated method names: 'ciDEMcw56Cej0ffMmwnxdKtOTtl6YFngfbkAH5GQvpcAWJPSfqMXtsEaevE8sT6VzLTYyIL86Y0euhH', 'zR6PUdzZAO2A1z7t5ChZXc3rlrqGgdMA3qCT06rtZC20kidfab42wulAonpp5BNi8Pwwb49YKSFPpxzaE4Ma3vyGgOKdHB5Se', 'zdfHM5AmxT20GAWJ7ybtxXK8KwcKFoZHz6bP4V5ktSZ7bs2sJxeQ6EC7NXyVdoYED3bquHiPHw1AGz08Nrl8YNymkEbPHA5qF', 'Jb4QA3SVGMf8UlncQgjJRdUer3zUzszpAMgzOsoLoAkn3gJV0ftT93Az5ksJFvRCdZC9SnsQgSvFdkAsK1i1tcf8Xuy52ANtl', 'n7mLzMkcbWTUvZUDDMwb3oKcHT0ftRwqmWNmMJAuzC5Qvgox1bCzOZGeAC1HXWzyYT94EE9R22LiJb4BrnXdbi04QW4YGTkXV'

Source: C:\Users\user\Desktop\SharkHack.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SharkHack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SharkHack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SharkHack.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker			Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SharkHack.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SharkHack.exe, 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SharkHack.exe, RuntimeBroker.exe.0.dr	Binary or memory string: SBIEDLL.DLL+DLDRY9JAJVQWC0FI64IKQ+YVVRECXAUUVN2KWBSFVNY+QALL9G07M6G3FFDVBXMW7+RE63CQVANBNW3ISD2KMB8+SAUEPUFGLC6QJDCL9CTGD+VTYTINHA5BE07UF9ZTV21+DFFHUP26D4TDUEQIUZKNI+A51XLSX4C3MAHMYNE3IUY+LWCY1C7W3T22PX6R1FL5Q+RMKQZ6Y3BVSNIRYGISL1L+G3HJZ6RMJOJSHSUUVPORM+E9KIFDR7OVWDIYB2IETQK+QZO54BJRAGL3YNRLZ73B2+T5V7OJWQGR3XNN1E44REVINFO

Source: C:\Users\user\Desktop\SharkHack.exe	Memory allocated: 900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Memory allocated: 1A670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Memory allocated: DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SharkHack.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SharkHack.exe	Window / User API: threadDelayed 1677	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Window / User API: threadDelayed 8169	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2896	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6885	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8227	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1407	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5967	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3788	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3291
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6403

Source: C:\Users\user\Desktop\SharkHack.exe TID: 6908	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 5967 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep count: 3788 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6988	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2872	Thread sleep count: 3291 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2872	Thread sleep count: 6403 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe TID: 3004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe TID: 5228	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\SharkHack.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\SharkHack.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SharkHack.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: RuntimeBroker.exe.0.dr	Binary or memory string: vmware
Source: RuntimeBroker.exe.0.dr	Binary or memory string: oNS2aFdEFPrlfsMkzz7wPtN51fobifzk3FztQluHZ5OKfyv
Source: SharkHack.exe, 00000000.00000002.2758028201.000000001B498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ

Source: C:\Users\user\Desktop\SharkHack.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\SharkHack.exe

Code function: 0_2_00007FFD9B7D7871 CheckRemoteDebuggerPresent,

0_2_00007FFD9B7D7871

Source: C:\Users\user\Desktop\SharkHack.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SharkHack.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SharkHack.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\SharkHack.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'

Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SharkHack.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3

Source: SharkHack.exe, 00000000.00000002.2751589227.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: SharkHack.exe, 00000000.00000002.2751589227.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SharkHack.exe, 00000000.00000002.2751589227.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0Pm
Source: SharkHack.exe, 00000000.00000002.2751589227.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: SharkHack.exe, 00000000.00000002.2751589227.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2b

Source: C:\Users\user\Desktop\SharkHack.exe	Queries volume information: C:\Users\user\Desktop\SharkHack.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SharkHack.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SharkHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SharkHack.exe, 00000000.00000002.2758028201.000000001B4F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SharkHack.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: SharkHack.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.0000000002745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SharkHack.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: SharkHack.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SharkHack.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2751589227.0000000002745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SharkHack.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	12 Process Injection	1 Masquerading	OS Credential Dumping	541 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SharkHack.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
SharkHack.exe	100%	Avira	TR/Dropper.Gen
SharkHack.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RuntimeBroker.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
24.ip.gl.ply.gg	0%	Avira URL Cloud	safe
http://schemas.microsoft.co	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
24.ip.gl.ply.gg	147.185.221.24	true	true		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
24.ip.gl.ply.gg	true	Avira URL Cloud: safe	unknown
127.0.0.1	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1766805871.000002C810075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1855873236.0000019FADC65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1982934621.000001C890075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1747443576.000002C800229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C88022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1747443576.000002C800229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C88022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 0000000B.00000002.2216895438.000001AEE6443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1766805871.000002C810075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1855873236.0000019FADC65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1982934621.000001C890075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000007.00000002.2008416724.000001C8FC2A0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ip-api.com	SharkHack.exe, 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2185999875.000001AEDDCB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000007.00000002.2008416724.000001C8FC2A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1747443576.000002C800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDC41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SharkHack.exe, 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1747443576.000002C800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1806229759.0000019F9DBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892500700.000001C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2045741121.000001AECDC41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microsoft.co	powershell.exe, 0000000B.00000002.2216895438.000001AEE648C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2045741121.000001AECDE69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 00000001.00000002.1776517040.000002C877A20000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
147.185.221.24	24.ip.gl.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584532
Start date and time:	2025-01-05 19:22:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SharkHack.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/24@2/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBroker.exe, PID 2720 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7564 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2816 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7556 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7824 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8088 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SharkHack.exe

Simulations

Behavior and APIs

Time	Type	Description
13:23:05	API Interceptor	44x Sleep call for process: powershell.exe modified
13:23:57	API Interceptor	67x Sleep call for process: SharkHack.exe modified
18:23:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe
18:24:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe
18:24:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	paint.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	ddos tool.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
147.185.221.24	avaydna.exe	Get hash	malicious	Njrat	Browse
	ddos tool.exe	Get hash	malicious	XWorm	Browse
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse
	p59UXHJRX3.exe	Get hash	malicious	XenoRAT	Browse
	JdYlp3ChrS.exe	Get hash	malicious	Njrat	Browse
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse
	test.exe	Get hash	malicious	DarkComet	Browse
	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
SALSGIVERUS	avaydna.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	ddos tool.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	p59UXHJRX3.exe	Get hash	malicious	XenoRAT	Browse	147.185.221.24
	JdYlp3ChrS.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	OneDrive.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	gReXLT7XjR.exe	Get hash	malicious	Njrat	Browse	147.185.221.18
	_____.exe	Get hash	malicious	DarkComet	Browse	147.185.221.23

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SharkHack.exe.log

Download File

Process:	C:\Users\user\Desktop\SharkHack.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3718223239563105
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6o6+vxp3/elZHNpOtHTHhAHKKkt1qHGIs0HKD:iqbYqGSI6o9Zp/elZtpOtzHeqKktwmjB
MD5:	9714380A7DC1A8945C07B6C9DC8312B0
SHA1:	E6DF51F4C72B17485883378FDBF28D6BB5CFFDF3
SHA-256:	1DD30FC94BA3D3F97B5F250110A2639430AEB51FAE7A252F886AE2401EC31D4B
SHA-512:	876FB2C042F5FC60F6ACE9D143BA1A3AC9E200124EA3CB12476D10D24D82B4F2394F045E56FEB8906872D01B00BF9E646DEECC384144E21AEB6D6C10A365FB10
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\SharkHack.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jobpvtc.qrm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dor5zdu.dbj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jm2rhxe.aiu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54psllgw.pc5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amcll5wn.bh2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cex1hau3.gom.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foe252ax.z00.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3fdo4to.vhw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhvtzvga.plc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwagteiu.gvw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrjmxcwh.w3k.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2av5bfr.gzm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiya2bc1.elz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p02bhplp.ttk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfohiit2.5o1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvcyhcyf.u3c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat

Download File

Process:	C:\Users\user\Desktop\SharkHack.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.994937313463703
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtv3Dt+WfHvhs92NEyMNQDwU1hGDt+kiE2J5xAInTRIM6RIVzVZPy:hWKqTtLwQO92WyMSDNewkn23fTt6uVze
MD5:	1A9BD5B7EC4C9F424F6FFA5EE02D0418
SHA1:	8F8C6D45F8EC743948B4DFDD673CF8999DEA4E98
SHA-256:	C3A040A7A14DACEF3C940FCD94F9047BC4D158803CD8275D30C65BDD53866682
SHA-512:	E0ED43BE1FBA440C028CC74C4B3D463BCBD76FC3C7D0CABE74905AB509834FAE1AD7C8E6DA6F2B870D125561228741C3E81F932FDDB85CC69A6032AD04555ADE
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "SharkHack.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpCFE.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Download File

Process:	C:\Users\user\Desktop\SharkHack.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Jan 5 17:23:56 2025, mtime=Sun Jan 5 17:23:56 2025, atime=Sun Jan 5 17:23:56 2025, length=4048896, window=hide
Category:	dropped
Size (bytes):	796
Entropy (8bit):	5.107904706444131
Encrypted:	false
SSDEEP:	12:8jglEQ4+WCGwdY//DAKESLg53AQ/jSStYjA2mrHgLTSNXhgLyBmV:8jg2pfw+rAfsQAQ7SSyAbkTSbnBm
MD5:	05212468BD53155FBA3D67AD1854F009
SHA1:	4B930A4D211B64E2FCE3B18C482F878EE98B58CC
SHA-256:	56B52FFED21265E428269453F23FB3B9CFFCE3308BB4B5B2EB7FE97CF7D34A1E
SHA-512:	689F402D22BB1F0CD31319AC0D838F9154C777AD63A2A6F7548A3CAE2A47F89A0584F371E57D78F0606DB5EAFF30BE1D86BFD1BB63B088F7FCD7E1EDFDA050E1
Malicious:	false
Preview:	L..................F.... ...{7..._..{7..._..{7..._....=.......................:..DG..Yr?.D..U..k0.&...&......vk.v.... ..._......_......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Z............................%..A.p.p.D.a.t.a...B.V.1.....%Z...Roaming.@......CW.^%Z............................%..R.o.a.m.i.n.g.....p.2...=.%Z.. .RUNTIM~1.EXE..T......%Z..%Z................................R.u.n.t.i.m.e.B.r.o.k.e.r...e.x.e......._...............-.......^.............t0.....C:\Users\user\AppData\Roaming\RuntimeBroker.exe.. .....\.....\.....\.....\.....\.R.u.n.t.i.m.e.B.r.o.k.e.r...e.x.e.`.......X.......066656...........hT..CrF.f4... .\|P.,.....,.......hT..CrF.f4... .\|P.,.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\SharkHack.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4048896
Entropy (8bit):	0.7386840297410278
Encrypted:	false
SSDEEP:	3072:+k5jzFOmdbhM1UO9lwpnod6KzYaDepDAvwq/4BTGyv4A/Nbm6Z/IXynPliiAXS5A:NDdbOipod6TsBD+L
MD5:	0D1C90879F6B3CA5A83DE2F180046F65
SHA1:	2D9EFC7BEFA58E744BDD93FF1C2D2A6E2F144B52
SHA-256:	7D30C5701274F858AB179E726A0E86E7040F339D5E252DB85F3A5638F2EF731E
SHA-512:	EE1DF1D5C16110807016B5AF5BEEDBEE03C750325EE201DD72D2990FB7671E3D3A307ED4624CB01B6622B0BC41E9C0535F59D7B308E1B16A2F07DF0B892019BF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Czg.................0...........N... ...`....@.. ....................................@..................................M..K....`..B............................................................................ ............... ..H............text........ ...0.................. ..`.rsrc...B....`.......2..............@..@.reloc...............:..............@..B.................M......H.......`b..`.......&.....................................................(.....r...p. .(T...(.....r-..p. .5...s.........s.........s.........s..........rY..p. .....r...p. ..a..r...p.r...p. .x!..r...p. ..>...((....rS..p. S....r...p.(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Y..."(....+.&(....&+..+5sj... .... .'..ok...(,...~....-.(_...(Q...~....ol...&.-..r...p. d....r...p. .4...rE..p. >....rq..p. ..m..r...p. C....r...p.r...p. .T...r!..p*. %k

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	0.7386840297410278
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SharkHack.exe
File size:	4'048'896 bytes
MD5:	0d1c90879f6b3ca5a83de2f180046f65
SHA1:	2d9efc7befa58e744bdd93ff1c2d2a6e2f144b52
SHA256:	7d30c5701274f858ab179e726a0e86e7040f339d5e252db85f3a5638f2ef731e
SHA512:	ee1df1d5c16110807016b5af5beedbee03c750325ee201dd72d2990fb7671e3d3a307ed4624cb01b6622b0bc41e9c0535f59d7b308e1b16a2f07df0b892019bf
SSDEEP:	3072:+k5jzFOmdbhM1UO9lwpnod6KzYaDepDAvwq/4BTGyv4A/Nbm6Z/IXynPliiAXS5A:NDdbOipod6TsBD+L
TLSH:	6516E8A96FE31466D4CAA97C7C3523407AFCAD6A646B0E635437B0AED1744C07ED20F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Czg.................0...........N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	4182396860398041

Static PE Info

General

Entrypoint:	0x414e0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677A43B5 [Sun Jan 5 08:32:53 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14dc0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x30642	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12e14	0x13000	347d7cdf296ec75a451ee4ebb99b07fb	False	0.6086682771381579	SysEx File -	6.0622670653363615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x30642	0x30800	82d73e43a61247bbe9776eec72ac4eeb	False	0.32277907538659795	data	6.437533684492561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	5629464660d5ce4ee47299c9fd5d108e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x162b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.5806737588652482
RT_ICON	0x16718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	0.4237704918032787
RT_ICON	0x170a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.351313320825516
RT_ICON	0x18148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.25809128630705397
RT_ICON	0x1a6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.21504487482286255
RT_ICON	0x1e918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 2835 x 2835 px/m	0.19926062846580406
RT_ICON	0x23da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	0.16389005675846122
RT_ICON	0x2d248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.142449426239205
RT_ICON	0x3da70	0x8715	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9994505653393482
RT_GROUP_ICON	0x46188	0x84	data	0.7121212121212122
RT_VERSION	0x4620c	0x24c	data	0.4744897959183674
RT_MANIFEST	0x46458	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:24:02.000490+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:02.000490+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:11.300388+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:11.308969+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:23.398212+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:23.729235+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:23.731789+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:32.000157+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:32.000157+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:36.190686+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP
2025-01-05T19:24:36.198259+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	147.185.221.24	61472	TCP
2025-01-05T19:24:48.138772+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.24	61472	192.168.2.4	49739	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:23:04.609249115 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:23:04.617239952 CET	80	49730	208.95.112.1	192.168.2.4
Jan 5, 2025 19:23:04.617331028 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:23:04.617875099 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:23:04.625849962 CET	80	49730	208.95.112.1	192.168.2.4
Jan 5, 2025 19:23:05.076190948 CET	80	49730	208.95.112.1	192.168.2.4
Jan 5, 2025 19:23:05.116295099 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:23:54.651453018 CET	80	49730	208.95.112.1	192.168.2.4
Jan 5, 2025 19:23:54.651580095 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:23:58.348529100 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:23:58.354388952 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:23:58.354468107 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:23:58.434685946 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:23:58.439888000 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:02.000489950 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:02.053913116 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:10.956042051 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:10.960892916 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:11.300388098 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:11.308969021 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:11.313745022 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:23.398211956 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:23.403033972 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:23.729234934 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:23.731789112 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:23.739655018 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:32.000157118 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:32.054183960 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:35.853809118 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:35.858658075 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:36.190685987 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:36.198259115 CET	49739	61472	192.168.2.4	147.185.221.24
Jan 5, 2025 19:24:36.203037977 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:45.087505102 CET	49730	80	192.168.2.4	208.95.112.1
Jan 5, 2025 19:24:45.092387915 CET	80	49730	208.95.112.1	192.168.2.4
Jan 5, 2025 19:24:48.138772011 CET	61472	49739	147.185.221.24	192.168.2.4
Jan 5, 2025 19:24:48.165553093 CET	49739	61472	192.168.2.4	147.185.221.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:23:04.596450090 CET	49831	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:23:04.603108883 CET	53	49831	1.1.1.1	192.168.2.4
Jan 5, 2025 19:23:58.328073025 CET	60506	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:23:58.340249062 CET	53	60506	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:23:04.596450090 CET	192.168.2.4	1.1.1.1	0x12b	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:23:58.328073025 CET	192.168.2.4	1.1.1.1	0x87aa	Standard query (0)	24.ip.gl.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:23:04.603108883 CET	1.1.1.1	192.168.2.4	0x12b	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:23:58.340249062 CET	1.1.1.1	192.168.2.4	0x87aa	No error (0)	24.ip.gl.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7432	C:\Users\user\Desktop\SharkHack.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 19:23:04.617875099 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 5, 2025 19:23:05.076190948 CET	175	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:23:04 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	13:22:59
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\SharkHack.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SharkHack.exe"
Imagebase:	0x370000
File size:	4'048'896 bytes
MD5 hash:	0D1C90879F6B3CA5A83DE2F180046F65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1673982480.0000000000372000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2751589227.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2751589227.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2751589227.0000000002745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:23:04
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SharkHack.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:23:04
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:23:11
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SharkHack.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:23:11
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:23:20
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:23:20
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:23:34
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:23:34
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:24:07
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Imagebase:	0x1d0000
File size:	4'048'896 bytes
MD5 hash:	0D1C90879F6B3CA5A83DE2F180046F65
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:24:15
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Imagebase:	0x850000
File size:	4'048'896 bytes
MD5 hash:	0D1C90879F6B3CA5A83DE2F180046F65
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:24:47
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCFE.tmp.bat""
Imagebase:	0x7ff688e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:24:47
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:24:47
Start date:	05/01/2025
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff7444a0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B7D16E9 Relevance: 1.8, Strings: 1, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAO_^, xrefs: 00007FFD9B7D194D

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID: CAO_^
API String ID: 0-3111533842
Opcode ID: 67eda27a8079b901d85bf217614b817e25e24e11690bbe0349298ea75b97a833
Instruction ID: f9f47780f74a7b604c6499486d3b1f94d9915924a9a96730dfcf10ed9fd176c2
Opcode Fuzzy Hash: 67eda27a8079b901d85bf217614b817e25e24e11690bbe0349298ea75b97a833
Instruction Fuzzy Hash: ADF1B330B19B494FE798EB78947A6BD76E1EFC8700F4106BDE40DC32E6DE28A9458741

Function 00007FFD9B7D7871 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9B7D7920

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 28690a751943899c2db77d650878ddcb62ece6fbc950bc11350c1a062dfae152
Instruction ID: 3733be0910cd2116b1660a61a0553447aef28fba97e56d6ace621bd581fac9d4
Opcode Fuzzy Hash: 28690a751943899c2db77d650878ddcb62ece6fbc950bc11350c1a062dfae152
Instruction Fuzzy Hash: D831243190875C8FCB58DF58C8867E97BF0EFA5311F05426BD489D7292D734A845CB91

Function 00007FFD9B7DDFA4 Relevance: .9, Instructions: 923
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ea935274a307cf7db5b843ebc48c3772d11908cba2a33d4dba464d7ce0d926
Instruction ID: 07a45eeed3fd3a256b47ff48de83a72e2fb95a52e668ed6d8c15c6e1ea851bf5
Opcode Fuzzy Hash: 82ea935274a307cf7db5b843ebc48c3772d11908cba2a33d4dba464d7ce0d926
Instruction Fuzzy Hash: 2F528430B1D61D4FEBA8E7788465ABD72D6EFD8340B524778D41EC32E6DE28E8468740

Function 00007FFD9B7D5EB6 Relevance: .5, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced3edc34faec7159449f768c8a4b1014a8fba587c5b4bb8a0469dd956e842ea
Instruction ID: ffc95ba4686a14cdc8d0b92681b108ac33dff2952688b0a00d63db4eada2984d
Opcode Fuzzy Hash: ced3edc34faec7159449f768c8a4b1014a8fba587c5b4bb8a0469dd956e842ea
Instruction Fuzzy Hash: AAF1A430A09B4D8FEBA8DF28C855BE937D1FF94350F04436AE85DC72A5DB34A9458B81

Function 00007FFD9B7D6C62 Relevance: .5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3efd8396b2f94a2fcb155d0026273b053b312b380f0f0c8e87404bcab19bc96
Instruction ID: 4502489999713071f53c28b470eec63d993518046a9d960fbf3fbc42ee7a7f61
Opcode Fuzzy Hash: e3efd8396b2f94a2fcb155d0026273b053b312b380f0f0c8e87404bcab19bc96
Instruction Fuzzy Hash: F5E1B330A09A4D4FEBA8DF28C8557E977E1FB94310F14436ED84DC72A5CA78E9458B81

Function 00007FFD9B7D2181 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760617d74e9abaeaeeeb2ed892411badc806565ef322248b52bb7a85d36ce5af
Instruction ID: c56ac01eafca1139a83a13807d66b309f4b43f7f117aaa0acb97ee8561fef9c9
Opcode Fuzzy Hash: 760617d74e9abaeaeeeb2ed892411badc806565ef322248b52bb7a85d36ce5af
Instruction Fuzzy Hash: 4FC1C530B1DA0D4FEB98EBA884756BD76D2EFD8340F054379E44EC32E6DE28A9464341

Function 00007FFD9B7D1EF9 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcce665d2215c5a814002a1ca5993a02e77d9aa616878947a0f667579105cb50
Instruction ID: 5cef6a4b5a6adc3f534325e5f8fbed7921febd06a754400539c537070c30c1b5
Opcode Fuzzy Hash: dcce665d2215c5a814002a1ca5993a02e77d9aa616878947a0f667579105cb50
Instruction Fuzzy Hash: 48510F10B1E6C90FD79AAB784874679BFD5DF96219B0806FAE09DC71E7DE085C0AC342

Function 00007FFD9B7D963A Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B7D9742

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: b72fdc6ff1d9d3c0b44d3cc2b6def1125d9af3c119ad110f794d13d8f14a9a70
Instruction ID: d046ac876c3797869b281ae3a7a053b29d04673a66b2a3bb01064cb6d2695ebd
Opcode Fuzzy Hash: b72fdc6ff1d9d3c0b44d3cc2b6def1125d9af3c119ad110f794d13d8f14a9a70
Instruction Fuzzy Hash: F1414431A0D7898FDB29DB9C9859AF87FE0EF52310F1441BFD09AC7193CA24680AC761

Function 00007FFD9B7D9BB8 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B7D9C81

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 468eb87ad3947a72a7d163acaf609c8b57f897f1f0424668c40a827ab217a88a
Instruction ID: 73ddaa63b494f3f71cf93ede4e48e81c4bc180cfbcf1c7204196002b7086b307
Opcode Fuzzy Hash: 468eb87ad3947a72a7d163acaf609c8b57f897f1f0424668c40a827ab217a88a
Instruction Fuzzy Hash: DC312A30A1CA4D4FDB18DF6C984A6F9BBE1EB95311F00427ED04DC3292DA756812C7C1

Non-executed Functions

Function 00007FFD9B7D10FA Relevance: 3.0, Strings: 2, Instructions: 549COMMON

Download Yara Rule

Strings

2O_, xrefs: 00007FFD9B7D15B4
3O_^, xrefs: 00007FFD9B7D1101

Memory Dump Source

Source File: 00000000.00000002.2771249673.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_SharkHack.jbxd

Similarity

API ID:
String ID: 2O_$3O_^
API String ID: 0-4021006474
Opcode ID: e92742caccb6f92f84a807fdfd968f80fc6a4e1b132d5c0d64dd3ff81f0d3719
Instruction ID: ed83d2c830b20e9ebf470cbd6439ab94ad869638ab64ff14de6c67b514b8ce7b
Opcode Fuzzy Hash: e92742caccb6f92f84a807fdfd968f80fc6a4e1b132d5c0d64dd3ff81f0d3719
Instruction Fuzzy Hash: CFF1B41BB0E7D20ED712B7BD64754E93F60DFD226970A42F7C1998E4E3DD08294983A1

Analysis Process: powershell.exePID: 7556, Parent PID: 7432COMMON

Executed Functions

Function 00007FFD9B8B6605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1778301348.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933780d1028a371cb676734ce0c8421d03661c41cc75873d6ffc94480276ec11
Instruction ID: 0e24ce0536e4d10afacb6b9ee255a241a1c04d7880ef81762819c83bc698ca04
Opcode Fuzzy Hash: 933780d1028a371cb676734ce0c8421d03661c41cc75873d6ffc94480276ec11
Instruction Fuzzy Hash: 44D14572A0FA9E4FEB65AB7848755B5BBA1EF4A314B0901FED05CC70E3D918E805C781

Function 00007FFD9B8B4370 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1778301348.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028c26edd3c539bb460b53accdbfeeeecf9f21699056a64caf3a5d74430d1eac
Instruction ID: 8c6ba3ece4cfb56530397a8025bf1153dbf8974a222a1adbcef69115c960cae5
Opcode Fuzzy Hash: 028c26edd3c539bb460b53accdbfeeeecf9f21699056a64caf3a5d74430d1eac
Instruction Fuzzy Hash: 9241F523B0EA590FEBA9D7785462AB477D1EF88320B0D00BED05DC71A7E915AD118781

Function 00007FFD9B7E9738 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777997003.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe73704ce3a0f24ed1e56e35eaaaf3f1f22bccecb57a0054beb9d0e04f333fd
Instruction ID: 38c5f5e7a01488d7705f613b40dc770eb860e2297e2ea51a5b2364dc539536d9
Opcode Fuzzy Hash: bfe73704ce3a0f24ed1e56e35eaaaf3f1f22bccecb57a0054beb9d0e04f333fd
Instruction Fuzzy Hash: D541F87190DB484FDB589F5C984A6BC7BE1FF94310F04426FE45993262CB30A946CBC2

Function 00007FFD9B6CE380 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777687429.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b6cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca09f2f8820e59175e85954e64ed285780c10da2f0b137656b72ffec19f4301
Instruction ID: f9ce960422fe36501ee061fb14ec10893b3a4dc9d9b0b63d02524f3c56a6373b
Opcode Fuzzy Hash: bca09f2f8820e59175e85954e64ed285780c10da2f0b137656b72ffec19f4301
Instruction Fuzzy Hash: FB41167150EBC84FE766AB2898559623FB0EF52314B1606EFD0CCCF1A3D625B846C792

Function 00007FFD9B7EA47C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777997003.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74178c905c88b163ec315d6c3daffe88cdca1fdae1cb53175f848cbe4d3e96f0
Instruction ID: ba0a290eddc34c19c8f512d021d47d030ddd0b56496a742b79636991db207c91
Opcode Fuzzy Hash: 74178c905c88b163ec315d6c3daffe88cdca1fdae1cb53175f848cbe4d3e96f0
Instruction Fuzzy Hash: 7221283190C74C8FEB59DFAC984A7E97FF0EB96321F04426BD049C3162DA74A41ACB91

Function 00007FFD9B7EA038 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777997003.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385fee273edfc755d02841dd96c78acb25c6a39446d3ba062b5b62f23ad1fbf6
Instruction ID: d410dd294360192d60112297df7cd9ab99260850adde8db74326b90b88839a26
Opcode Fuzzy Hash: 385fee273edfc755d02841dd96c78acb25c6a39446d3ba062b5b62f23ad1fbf6
Instruction Fuzzy Hash: 27312C72E0668E4BC7159FA8A8760E43BA0EF01315B0542B7D4998A073FE2C1656C781

Function 00007FFD9B8B43BC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1778301348.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486567cf22c839036ed016e80c451339fa54977eb3ab723cd10cccb61704180c
Instruction ID: b4176ffc8f7f8ca0df50174164513c7be374ba6cfc640279ad2f68800149dae5
Opcode Fuzzy Hash: 486567cf22c839036ed016e80c451339fa54977eb3ab723cd10cccb61704180c
Instruction Fuzzy Hash: AB11E033B4F55A0FE7B8DB6890729B876D0EF4832074E00BAE05DC71A2DA19BD118B90

Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777997003.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B8B4146 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1778301348.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fabe3784b5df4ab1e59c4e014a602f51716bec2c77a1d20c6b1320609a051d
Instruction ID: 95b8c95183ad8ea09eae62eb7da65757a0f3a3742ea6f10a1fda1d3c0ea19913
Opcode Fuzzy Hash: 92fabe3784b5df4ab1e59c4e014a602f51716bec2c77a1d20c6b1320609a051d
Instruction Fuzzy Hash: 6DF06D32B4E50A8FDB69EB5CE4528A473E0EF59320B1500BAE05DC75A7CA26FC418B80

Function 00007FFD9B8B41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1778301348.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 75cc591d56b865421418cb4d1dbd5b20a6320eafc3c2957c2b4834ee9d9d0646
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: B1E01A31B0C8188FDA78DB4CE0529A973E1EB9832171601BBD14EC7572CA22ED518BC0

Non-executed Functions

Function 00007FFD9B7E8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^J, xrefs: 00007FFD9B7E8C8A
M_^7, xrefs: 00007FFD9B7E8C12
M_^4, xrefs: 00007FFD9B7E8BFA
M_^F, xrefs: 00007FFD9B7E8C7A

Memory Dump Source

Source File: 00000001.00000002.1777997003.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 86c4a79f75c5a2001dc0f9adf95a8a9d458683c16704a6f17690232f05857f3e
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: B021F56BB085A58ED306BB7DB8189DD3750CF9423979643F2E0A9CB093FD1460868AC0

Analysis Process: powershell.exePID: 7824, Parent PID: 7432COMMON

Executed Functions

Function 00007FFD9B7E644D Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3487309ab8b26002c9f388b36d96d6b8431b393b61375714c39138032a7c8381
Instruction ID: f90c03aeb680d48c930c6ec07fd866c3558b75cd0e17f14208e99b80cd25cfa1
Opcode Fuzzy Hash: 3487309ab8b26002c9f388b36d96d6b8431b393b61375714c39138032a7c8381
Instruction Fuzzy Hash: CCD16031A18A4D8FDF98DF58C465AAD7BE1FF68300F1542AAD449D72B6CB34E841CB81

Function 00007FFD9B8B6605 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870876836.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb5d91396efded13e0a3acecef54002b3891022ffb17969eb719c8090435796
Instruction ID: e4d5ffa588387620a6fec0e798ea20f579d752e559b9fc39dc507365dda941f7
Opcode Fuzzy Hash: edb5d91396efded13e0a3acecef54002b3891022ffb17969eb719c8090435796
Instruction Fuzzy Hash: 3FD14772A0FA9E4FEB659B7848655B5BBE0EF0A214B0901FED45CC70E3D918E905C781

Function 00007FFD9B7E9750 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbbbcebb503a385fac46a4455f2302600038d8a9bb2efcf0040c9e7faca9cef
Instruction ID: 23f559c0fd1a8bbb302cb4c029cec378742090fc63039c434c6d0044330d3a3b
Opcode Fuzzy Hash: 1cbbbcebb503a385fac46a4455f2302600038d8a9bb2efcf0040c9e7faca9cef
Instruction Fuzzy Hash: C8411A7190DB884FDB18DF5C9C1A6A97FE0FB99310F04416FE099D32A2CA74A905CBC2

Function 00007FFD9B7EA525 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d995b7c4043acec44516cc5ea106f3c5bdf75910c5c3676a1db02e3b1dc49e
Instruction ID: 09c92911ed638277f00bbf5be295b32b7db8b2433b4553d3c9914d35f337c853
Opcode Fuzzy Hash: 84d995b7c4043acec44516cc5ea106f3c5bdf75910c5c3676a1db02e3b1dc49e
Instruction Fuzzy Hash: C331F63190DB8C8FDB15DB68985A6E97FF0EF96320F0541AFD049C7163DA345909CB92

Function 00007FFD9B7EA56C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00821be0ff31cd728e7a021ad18797568d7e34d2e4466729ae2ad95810f5d2
Instruction ID: 8743c4b50abb411fa9aa6e7d628dab420e628705757dfd90f7918e1729e49ff2
Opcode Fuzzy Hash: 0d00821be0ff31cd728e7a021ad18797568d7e34d2e4466729ae2ad95810f5d2
Instruction Fuzzy Hash: E9210731A0CB4C8FDB58DF9C984A7E97BE0EBA5321F00816FD04DC3162DA709856CB91

Function 00007FFD9B6CF3EA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1869529249.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9629ca52df256cbe76e0fa06174e2d7a22b6a8d5783140c3f311879823f0bba1
Instruction ID: 617b1a837c24536f1078e4bc9205bc99278f6ed6dc8d8a5a4e08b76fe77ea103
Opcode Fuzzy Hash: 9629ca52df256cbe76e0fa06174e2d7a22b6a8d5783140c3f311879823f0bba1
Instruction Fuzzy Hash: 3601A23260DE088FDA68FB6DF0859A577E0FB4432071045AED159CB166DB21F88ACB81

Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B8B414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870876836.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46134b3818dd7f88208b323d99acea047d638e99e4573c36c7c012136fac4d7b
Instruction ID: 1911f7f63bbfbc2070c841d2b0ccccff861e19690423c8cca4995c44776344ba
Opcode Fuzzy Hash: 46134b3818dd7f88208b323d99acea047d638e99e4573c36c7c012136fac4d7b
Instruction Fuzzy Hash: 1BF09032B0D5494FD768EB5CE4528A473E0EF5932071500BAE06DC71B3CA25EC40CB80

Function 00007FFD9B6CF3FF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1869529249.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction ID: cbc37a40ff2161a49409509fa0a76ffff6728ef3a65fa325e3e008cddaa9d320
Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction Fuzzy Hash: A6F0B731619E089FCAA4FF2DC485E2237E1FB983107114658E45ECB266D734F891CB81

Function 00007FFD9B8B4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870876836.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fcf4bdd0606103fb40cff582d849bf32a526f9b7ea49e4d9af6dfcfee964c3
Instruction ID: 8fae96f69d953d16964f722af345875fc9481439ff2134a458090ded418a521e
Opcode Fuzzy Hash: b7fcf4bdd0606103fb40cff582d849bf32a526f9b7ea49e4d9af6dfcfee964c3
Instruction Fuzzy Hash: D3F0B432A0E5494FDB68EB5CE0618A473E0FF0532070500BAE059C70B3DA25AC50C780

Function 00007FFD9B7E344F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24444e3d918aeadc4d4dd4e2826a49c9c95aa695e2460b424228df4f29ba131a
Instruction ID: 4fb9e47c7646ba1c24352b711e34a80a06ab661de71718049806fe47d4a99151
Opcode Fuzzy Hash: 24444e3d918aeadc4d4dd4e2826a49c9c95aa695e2460b424228df4f29ba131a
Instruction Fuzzy Hash: 28E0923260D7090FEB288F5CE8934F57390EF02234B40027FD446CA4B2D913A5938684

Function 00007FFD9B8B41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870876836.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 75cc591d56b865421418cb4d1dbd5b20a6320eafc3c2957c2b4834ee9d9d0646
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: B1E01A31B0C8188FDA78DB4CE0529A973E1EB9832171601BBD14EC7572CA22ED518BC0

Non-executed Functions

Function 00007FFD9B7E8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^Y, xrefs: 00007FFD9B7E8CBA
M_^J, xrefs: 00007FFD9B7E8C62
M_^Q, xrefs: 00007FFD9B7E8C8A
M_^<, xrefs: 00007FFD9B7E8C12
M_^?, xrefs: 00007FFD9B7E8C2A
M_^8, xrefs: 00007FFD9B7E8BF2
M_^K, xrefs: 00007FFD9B7E8C6A
M_^N, xrefs: 00007FFD9B7E8C72

Memory Dump Source

Source File: 00000004.00000002.1870104915.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
Instruction ID: b114a5ea51b1871e90ed1c4dc2c7250fd3b437a7b478e6d328b580f01d32eadd
Opcode Fuzzy Hash: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
Instruction Fuzzy Hash: BC210477B045658AC30676ACB8559DC7790DF9437A39643F3E029CF193ED18A48B8A80

Analysis Process: powershell.exePID: 8088, Parent PID: 7432COMMON

Executed Functions

Function 00007FFD9B8C6605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012910329.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d240bb00c5211b4665c28548d9ac7149c3d59585c591fbf9a691aa9c896a51c7
Instruction ID: 69d97ae0fd10569ab1e64ea492343635835c9a3d12ffac4e186ecac2a7a70d08
Opcode Fuzzy Hash: d240bb00c5211b4665c28548d9ac7149c3d59585c591fbf9a691aa9c896a51c7
Instruction Fuzzy Hash: 5FD148B2B0FA8E4FEB65AB6888645B57BE0EF29314B1901FFD45CC70E3D918A905C341

Function 00007FFD9B7F9758 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012147632.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442d83021d68501754630665c2f94cec3a244b31fcbea703908baf73e37bcdf8
Instruction ID: f54d45693581e35ff85f87d13faa8a236d0acc10774f84b811fe7c3ff96e92d8
Opcode Fuzzy Hash: 442d83021d68501754630665c2f94cec3a244b31fcbea703908baf73e37bcdf8
Instruction Fuzzy Hash: 11312C31A0CB8C8FDB189F5C980A6B97BE0FB98310F00422FE449C3251DA30B855CBC2

Function 00007FFD9B6DED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2011349897.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea45e13cb6be21fbd96790a9a89b5f347c6813b2805b88a03abc59bdb3b8885
Instruction ID: 187b119d57496ea28371c9c6b74a376a17416e62a3d74798d5c800e7585574a5
Opcode Fuzzy Hash: 9ea45e13cb6be21fbd96790a9a89b5f347c6813b2805b88a03abc59bdb3b8885
Instruction Fuzzy Hash: 8F41F67150EBC44FD7669B289C519523FF0EF57220B1A06DFD0D8CB1A3DA25A846C792

Function 00007FFD9B7FA62C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012147632.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f29d06e4c94ed247a13e9782f898efeea82ca11d9ae4f67f1b97374be8b528
Instruction ID: 55eee723fa876890b65778e5988825edaa2ec2428e5136ab8132712a6b255855
Opcode Fuzzy Hash: b8f29d06e4c94ed247a13e9782f898efeea82ca11d9ae4f67f1b97374be8b528
Instruction Fuzzy Hash: CC212830A0CB4C4FDB59DBAC984A7E97FF0EB96321F04426FD449C3162DA749416CB92

Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012147632.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45

Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012910329.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
Instruction ID: 8357c20f1b17740a6c0ca67d98aa10d01b486437f1a154f26ac8344d3baff2eb
Opcode Fuzzy Hash: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
Instruction Fuzzy Hash: EDF03A32B0E5498FD769EB5CE4518A873E0EF5932071600BBE1ADC75B7DA25EC818740

Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012910329.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
Instruction ID: b4d0c1d97e9c43a6f51d221615d4ba9ebb12c3a4a94d2d4fd06ad39084e20e3f
Opcode Fuzzy Hash: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
Instruction Fuzzy Hash: ACF0BE72A0E5498FDB64EB4CE0608A873E0FF0932072600BBE059CB0A3DA25EC80C740

Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012910329.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80

Function 00007FFD9B7FA2AA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2012147632.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5532bab3d669a1860dd96f8ffa3cff6c22b2e4e400784fcfe1ded3ad5d5237
Instruction ID: 8b2a7061d6a2575d52b679a8906af76b5a6c9153205c3cd09c37b59f9194fe07
Opcode Fuzzy Hash: ef5532bab3d669a1860dd96f8ffa3cff6c22b2e4e400784fcfe1ded3ad5d5237
Instruction Fuzzy Hash: 47E04631910A0C8F8B44EF18D8498EA7BA0FB28305B0002ABE80DC7120DB30AA58CBC2

Non-executed Functions

Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^7, xrefs: 00007FFD9B7F8C12
L_^4, xrefs: 00007FFD9B7F8BFA
L_^J, xrefs: 00007FFD9B7F8C8A
L_^F, xrefs: 00007FFD9B7F8C7A

Memory Dump Source

Source File: 00000007.00000002.2012147632.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 38d168e9ffd793027842d095f53a95ea8f65d06b602b5c505eb243c658d76433
Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
Opcode Fuzzy Hash: 38d168e9ffd793027842d095f53a95ea8f65d06b602b5c505eb243c658d76433
Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

Analysis Process: powershell.exePID: 2816, Parent PID: 7432COMMON

Executed Functions

Function 00007FFD9B80644D Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a5448dd6e1b104ee13bca7f43f44036d5227c64b771d1d264322ff16e1d29f
Instruction ID: 037ac1ab26722afa81261195cb9ffc3c99e142d309db7c23176f4f59250f5e45
Opcode Fuzzy Hash: c2a5448dd6e1b104ee13bca7f43f44036d5227c64b771d1d264322ff16e1d29f
Instruction Fuzzy Hash: 3DD19070A08A4D8FDF98DF58C465AED7BE1FF68340F15416AD44DD72A6CA34E841CB80

Function 00007FFD9B8D6605 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225151578.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc86ed4ba0159b94acff528bbbb7ee02ac7f78f69bfd15f4ea95ba6598be3c2
Instruction ID: a218297ea1b5249d4b1a50001f9593a9ef505bf8a550fe9bbf48170a1e382965
Opcode Fuzzy Hash: fcc86ed4ba0159b94acff528bbbb7ee02ac7f78f69bfd15f4ea95ba6598be3c2
Instruction Fuzzy Hash: 4ED13572B0FACE4FEB659B6898655A57BA0EF9A214B0903FFD44CC70E3D918A905C341

Function 00007FFD9B80B71C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e6e21f6aaeb43365fad34bac2a69d059c1bac0c59f3fa62ce9e199e1158f25
Instruction ID: 8543ca20cd1085a1f51770b444bc629755e78b1fc212cc6444d964306ce1fe09
Opcode Fuzzy Hash: e5e6e21f6aaeb43365fad34bac2a69d059c1bac0c59f3fa62ce9e199e1158f25
Instruction Fuzzy Hash: E481353161DA8C4FDB58EF6CC895AF57BE0EF99350F0441BED08AC71A2DA25A846CB41

Function 00007FFD9B80974E Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f734718534126f61236720738e38e60253ef6827327a4fe60e7735fb766005
Instruction ID: 52ef8517a2c62cae6b36d2cc778baf00ff6092c923b90f6e303cf37da7695dc7
Opcode Fuzzy Hash: b7f734718534126f61236720738e38e60253ef6827327a4fe60e7735fb766005
Instruction Fuzzy Hash: 2E41283290DB888FDB19DF5C9C1A6E9BBE0FB59310F04416FD099D3292CA24A915CBC2

Function 00007FFD9B6EE620 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2222907217.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b6ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af7b5ec1ceeef69825837a812f8a9e22a9ab4a9de57099a118a363152b55b33
Instruction ID: d2983438bc7b271a5b43a24404efd51e97a84e9e6155b421edc7533f2549126b
Opcode Fuzzy Hash: 0af7b5ec1ceeef69825837a812f8a9e22a9ab4a9de57099a118a363152b55b33
Instruction Fuzzy Hash: 2441057180EBC44FE7A69B29D8559523FF0EF56320B1505EFD0C8CB1A3D725A846C792

Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B80A0FB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c93afa6b19813028bf2181272a8e3d648fc6207855fb7a06cc3ecd39c0dcb7
Instruction ID: f1573f1b0a85b638286ce4778b1939152e1ef0fb322f63d55b8d24a78bc9f35b
Opcode Fuzzy Hash: e6c93afa6b19813028bf2181272a8e3d648fc6207855fb7a06cc3ecd39c0dcb7
Instruction Fuzzy Hash: 76F0FC36A1EA8C5FEBA1EF5C98654D47FA0FF59344B0502B7D489C70A1EA3155488781

Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225151578.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
Instruction ID: 2bd6890e1b48a57eed30bf9b853d131c92af5c1c9ff5a0ef32523b54d2f7ef8e
Opcode Fuzzy Hash: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
Instruction Fuzzy Hash: 0BF03A32B0E5498FDB69EB5CE4518A873E0EF99320B1A01BBE16DC75B7DA25EC418740

Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225151578.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
Instruction ID: 40b9abade2affbee2076c7629ef3db45aec7d9c68d2dec968d818b52e3b262f4
Opcode Fuzzy Hash: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
Instruction Fuzzy Hash: 7EF0BE32A0E5498FDB64EB4CE0648A873E0FF4932071601BBE059CB0A3DA25AC80C740

Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225151578.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

Non-executed Functions

Function 00007FFD9B808BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^Q, xrefs: 00007FFD9B808C8A
K_^K, xrefs: 00007FFD9B808C6A
K_^Y, xrefs: 00007FFD9B808CBA
K_^<, xrefs: 00007FFD9B808C12
K_^?, xrefs: 00007FFD9B808C2A
K_^N, xrefs: 00007FFD9B808C72
K_^J, xrefs: 00007FFD9B808C62
K_^8, xrefs: 00007FFD9B808BF2

Memory Dump Source

Source File: 0000000B.00000002.2223995503.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction ID: 0aafbbd5924e028cb88f8fb2682b7fd57e09256c17de00bbea36593f1061e17b
Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction Fuzzy Hash: 6F210477B085555ACB0676BCB8559DC77A0DF9437935642F3E028CF093DD18A48B8680

Analysis Process: RuntimeBroker.exePID: 7564, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8016E9 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3883b1e102ecc186be2c500fc5a305c14061900ff9e240b90aa4238dc02076
Instruction ID: 24a452afa3da314533382bd185c97fa1423bf5eef335d93c6a84b796c22e5bf1
Opcode Fuzzy Hash: 6c3883b1e102ecc186be2c500fc5a305c14061900ff9e240b90aa4238dc02076
Instruction Fuzzy Hash: A8F1A270B29A4D4FE7A8FB7884796BD76E2FF88341F410579E04DC32D6DE28A8418741

Function 00007FFD9B800E5E Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c14543d094c3a90fcbd7a0ffbc3700a9f77a6c02b197220070a81f8b63e072
Instruction ID: 80e182903bd5fc8452126698e81339f1fd07285bedbcfca45d8c4eb1591bf878
Opcode Fuzzy Hash: 52c14543d094c3a90fcbd7a0ffbc3700a9f77a6c02b197220070a81f8b63e072
Instruction Fuzzy Hash: 44712916F0D6D90EE356B77C64695F92BA1DFC622970981FBD0CDCA0E7CC0868478352

Function 00007FFD9B801EF9 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b933dadc1fd62f75908ffead5b2f725d3a7a63512a7037b19b2de75605972522
Instruction ID: d8a390b0e1dd31e347416a83ce20408e6e7bacb4420016c8b516aa26145950cb
Opcode Fuzzy Hash: b933dadc1fd62f75908ffead5b2f725d3a7a63512a7037b19b2de75605972522
Instruction Fuzzy Hash: 4A510E10B1E6C90FD796AB7848746A5BFD5DF9B269B0800FAE0DDC71E7DE085806C342

Function 00007FFD9B8007F2 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

;L_, xrefs: 00007FFD9B800844
<L_^, xrefs: 00007FFD9B800801

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: ;L_$<L_^
API String ID: 0-636787459
Opcode ID: 2058c2057e9934d677d9592976006cd0a4fef84787bc2994b9c5ac1a7ed7d79c
Instruction ID: 1f2d71a2e1db7a37ff370b5390b23144dfeb0bd84917b639f10d0ebda6966d49
Opcode Fuzzy Hash: 2058c2057e9934d677d9592976006cd0a4fef84787bc2994b9c5ac1a7ed7d79c
Instruction Fuzzy Hash: 2541E136B5A68E4BD344EB6CA4B58ECBFB0BF8421075544F9D058873DBDE286941C740

Function 00007FFD9B8010FA Relevance: 1.9, Strings: 1, Instructions: 694COMMON

Download Yara Rule

Strings

3L_^, xrefs: 00007FFD9B801101

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 3L_^
API String ID: 0-195740063
Opcode ID: cd7e81dc9142594470fde6f841d23e14cf278a573618a75e731163ba206337e1
Instruction ID: 736f58503470abcd066dcc62c8863f90704f45de935e6e9d77170308a42e7045
Opcode Fuzzy Hash: cd7e81dc9142594470fde6f841d23e14cf278a573618a75e731163ba206337e1
Instruction Fuzzy Hash: F6911427F0959A0AD715F7ACB8764ED7B70EF86376B0A41B7D089CA0E7CD18240683D1

Function 00007FFD9B8011F0 Relevance: 1.8, Strings: 1, Instructions: 574COMMON

Download Yara Rule

Strings

2L_^, xrefs: 00007FFD9B801201

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 2L_^
API String ID: 0-3004606202
Opcode ID: 07c48ef7ba8f08db36af96cab1775d934244f1caf700cad32e44244a1e1e4392
Instruction ID: 979ddc30777a8cbf441ded79b4e9a5a73b32d77b07de1e73b9e1d5dcdd3bfa74
Opcode Fuzzy Hash: 07c48ef7ba8f08db36af96cab1775d934244f1caf700cad32e44244a1e1e4392
Instruction Fuzzy Hash: 28512727F0D58A4ED711FBACA8764ED7B70EF86365B0A41F7D099CA1E3DD1828068380

Function 00007FFD9B8011F2 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

2L_^, xrefs: 00007FFD9B801201

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 2L_^
API String ID: 0-3004606202
Opcode ID: 38d327a6cb379f8d5c1f3154ff692d777447c81436b2a4ea4a1a1aabefe2d422
Instruction ID: 6db11c94ba704e18abc0e913d3d8c2c468a4ad28ace3e8ff57c729f254de825e
Opcode Fuzzy Hash: 38d327a6cb379f8d5c1f3154ff692d777447c81436b2a4ea4a1a1aabefe2d422
Instruction Fuzzy Hash: F9510623F0958A4ED751FBACA8764ED7BB0EF86365B0941F7D099DA1E3DD1828468380

Function 00007FFD9B800AFB Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cfac2e099fb3597bceb372119b09c82121a9a713dbaea46f3a2e725876b2d9
Instruction ID: f15ab269fede6298d6790417e6d21067bc108928b437d16f24d3db41780fd02c
Opcode Fuzzy Hash: 28cfac2e099fb3597bceb372119b09c82121a9a713dbaea46f3a2e725876b2d9
Instruction Fuzzy Hash: C051F136F1995E8BDB04FBACA4759FC73A1EFC8366B55417AD009C32D6CE296442C780

Function 00007FFD9B800B6F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b16be53b3e12f4e9a02a85d7f758866cbce190f6c50a3d35b3d1973fc7e4fd5
Instruction ID: b14f660b6878e399051bff095f7bbbd43bb5be2fd0dabf6bfb600cdce1ede0bb
Opcode Fuzzy Hash: 7b16be53b3e12f4e9a02a85d7f758866cbce190f6c50a3d35b3d1973fc7e4fd5
Instruction Fuzzy Hash: 9541FE36B1591E8FDB44EBACD875AED73A1FF88312B5445BAD009C32D6CE35A842C780

Function 00007FFD9B800638 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaa219be65b73d6cc10aa4d09a8ae24da69ee2e9df43157f6927d5e1eac640b
Instruction ID: 88cc6687ac35734bd70cbd461dd185277c5c46a3bb3693e899395016687c63bf
Opcode Fuzzy Hash: ecaa219be65b73d6cc10aa4d09a8ae24da69ee2e9df43157f6927d5e1eac640b
Instruction Fuzzy Hash: 4031B221B1D9490FE798AB6C486A6B9A6C2EF9D355F0405BAF05EC32E7DE64AC018241

Function 00007FFD9B800D48 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f023fa85b4e843ab65b9819c6b145505cab658b67263239ee0446d5a5bcd3
Instruction ID: b3d52a940a9cdc685ba3b593338c185561e72d2924e85768cd99057348073721
Opcode Fuzzy Hash: 998f023fa85b4e843ab65b9819c6b145505cab658b67263239ee0446d5a5bcd3
Instruction Fuzzy Hash: 70218411F2890E4BFB84BBAC546E7FC62D2EF9C755F504176E41DC32D6DE28A8418392

Function 00007FFD9B80086D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a95b855043ae69c1ab00bbb92155f7bfc34ea61059f48605322b3a3e3883c5
Instruction ID: 56fadc1b0f17034fbc0895db0c5d66dfda642b9f5757db4c1378258d3a7046d2
Opcode Fuzzy Hash: d4a95b855043ae69c1ab00bbb92155f7bfc34ea61059f48605322b3a3e3883c5
Instruction Fuzzy Hash: 2C218D38B5994D5FD744EF5C90B19EDBFB1BFC8200BA548E8E418833CACE286951C740

Function 00007FFD9B8020B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2386649290.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558d5f4a01a8183e9eca8cab99e74e197f828d8b4e390b9dd896ee07dd0a739f
Instruction ID: 5b2cc0b92c220763a3c17e3db5e0639d1a3a1d96f549d5cb34223954f3de00f4
Opcode Fuzzy Hash: 558d5f4a01a8183e9eca8cab99e74e197f828d8b4e390b9dd896ee07dd0a739f
Instruction Fuzzy Hash: 66017B51A0DB890FE742AB782C704B57FE0DF9625070904FBE8C8C31E7C8086A40C392

Analysis Process: RuntimeBroker.exePID: 2720, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B7D16E9 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5b13bfc4d9f137085c16555b227e57036c63cca6a274683520a4ad152d7e33
Instruction ID: b9e69466fa1dfcb3b6b2b2dd409045b994075a6cde6bf60707471b10b068229d
Opcode Fuzzy Hash: 8b5b13bfc4d9f137085c16555b227e57036c63cca6a274683520a4ad152d7e33
Instruction Fuzzy Hash: ADF1B230B19B4D4FE798EB7884796BD76E1EFD8741F4146B9E00EC32E6DE28A9018741

Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b299ffe78daea8fbb76af7264e19bf1e15d1634c3d199b8340bf03b56e955c
Instruction ID: 8ca50d84dbd70e3614122c2a547fec087930ea86499b867cd4cb4e6e578c64e3
Opcode Fuzzy Hash: 95b299ffe78daea8fbb76af7264e19bf1e15d1634c3d199b8340bf03b56e955c
Instruction Fuzzy Hash: 00712816F0D69A0EE356B67C64695F92BA1DFC623970981FBE0CDCA0E7DC0828478352

Function 00007FFD9B7D1EF9 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c31cdd2b4e48507a5d3b3119a023b448253ab30e4486fedede896ed3538b7b3
Instruction ID: 1e8bd650604f4ec2ab02221c8afa406af2f06ce943626f5bd5a155721ecb8314
Opcode Fuzzy Hash: 4c31cdd2b4e48507a5d3b3119a023b448253ab30e4486fedede896ed3538b7b3
Instruction Fuzzy Hash: 40511F10B1E6C90FD796AB784874675BFD1DF96219B0806FAE09DC71E7DE085C0AC342

Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

<O_^, xrefs: 00007FFD9B7D0801
;O_, xrefs: 00007FFD9B7D0844

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: ;O_$<O_^
API String ID: 0-3431308889
Opcode ID: 5f01d9ae3e6543a3e238eb4b13e234994a2e3a93cfa3d1cb61d3daff26517625
Instruction ID: 1e0334c70ba60185490b5f4fbb841720bfbc9504d4f388181f3ae4fe2bb0852f
Opcode Fuzzy Hash: 5f01d9ae3e6543a3e238eb4b13e234994a2e3a93cfa3d1cb61d3daff26517625
Instruction Fuzzy Hash: EF41D136B4A68A4BD344EB6CA0B59E8BBB0BFC4205B4585F5D118873DBEE286905C740

Function 00007FFD9B7D10FA Relevance: 1.9, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

3O_^, xrefs: 00007FFD9B7D1101

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 3O_^
API String ID: 0-166494150
Opcode ID: 20484ccb3252c7dd75db47a95b7b9d21cbad32783e318a2105c909d44a32da6c
Instruction ID: 7d845e7c4e53629f85121d9ce28fc79b272bc96ef84acb605965d444ddacf685
Opcode Fuzzy Hash: 20484ccb3252c7dd75db47a95b7b9d21cbad32783e318a2105c909d44a32da6c
Instruction Fuzzy Hash: 2191262BF0969A0AD710F7ADB4755ED7B70EFC1276B0A42B7C18DCA4E3CD1828498390

Function 00007FFD9B7D11F2 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

2O_^, xrefs: 00007FFD9B7D1201

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 2O_^
API String ID: 0-2974816419
Opcode ID: 074bbc139cd036a57e36f0468aca76ca24f419475ea825d45d8552fe2bfee841
Instruction ID: ebe9371d152d27c5c00ea2ca555798dec7ab6f7d9ac06790a7809128e9189d17
Opcode Fuzzy Hash: 074bbc139cd036a57e36f0468aca76ca24f419475ea825d45d8552fe2bfee841
Instruction Fuzzy Hash: B6513527F0969A0EE711F7ACA4754ED7B70EFC1225B0A42F7C19DDA0E3DD18284A8390

Function 00007FFD9B7D11F0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

2O_^, xrefs: 00007FFD9B7D1201

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 2O_^
API String ID: 0-2974816419
Opcode ID: 89eadae77127d89ed12456fcea0108e180f0c5215af198575886f1a890346e2e
Instruction ID: c28932ebaeb3ded36abc9f93e234b249f212dbe05596cc092eb4d92359d3f1fe
Opcode Fuzzy Hash: 89eadae77127d89ed12456fcea0108e180f0c5215af198575886f1a890346e2e
Instruction Fuzzy Hash: DE512527F0969A0EE711F7ACA4755ED7B70EFC1225B0A42F7C19DDA1E3DD18284A8390

Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8d9398a948079fdbd6884fd73b9f0cd8aed9d794a5b8e04d17d17efecab2ac
Instruction ID: 4b1b7399a41fed99e64f27d9952913e2f7bb8ded78152277927aa5efd413c775
Opcode Fuzzy Hash: db8d9398a948079fdbd6884fd73b9f0cd8aed9d794a5b8e04d17d17efecab2ac
Instruction Fuzzy Hash: 5351F336F0961A8BD704BBACA475AEC73B1FFD4326B11427AD109C72D6CE246845C790

Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbc64390644942eb9cd3c40626a7a0853d19a55fe762d16f96ee9f6b27caed0
Instruction ID: f5459c732b5d10da37b631f0d1c1f5055a39b984bf66196be210afcc4b5e763e
Opcode Fuzzy Hash: 9bbc64390644942eb9cd3c40626a7a0853d19a55fe762d16f96ee9f6b27caed0
Instruction Fuzzy Hash: 2441F335B05A1E8FDB44EB68E871AEC73B1FFD4311B4046BAD109C7286DE34A846C780

Function 00007FFD9B7D0638 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7ca3859231a0f2b1b7456fac5cdd3c138ad4d87f0ecf78f37f25fd5470133d
Instruction ID: 86531bd777139232f21f0fa1c38836984e03d9095d83896074e1f5bc35b445c2
Opcode Fuzzy Hash: bd7ca3859231a0f2b1b7456fac5cdd3c138ad4d87f0ecf78f37f25fd5470133d
Instruction Fuzzy Hash: 7B31D621B1D9490FE798EE6C446A779B6C2EFD8345F0406BAE01EC32E7DD64AC018341

Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392

Function 00007FFD9B7D086D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823af76059137eee4c5ac96cfee52d722457ebb25b2aef1d93c85c7127b76379
Instruction ID: 3df1c66c8253e35528f0c17434311c7b35e4710f62f2117a2aeea24dbb99fbbd
Opcode Fuzzy Hash: 823af76059137eee4c5ac96cfee52d722457ebb25b2aef1d93c85c7127b76379
Instruction Fuzzy Hash: 1F219134B9594E4FD744EB5CA0B59EDBF71BBD8200B8189E4D519C33CAEE286901C740

Function 00007FFD9B7D20B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2467642194.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b7d0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c516b26ec5fa7d22355bd5495ac680363c089af503620df7772ba90fd68eb7
Instruction ID: e60e109c70c3efddbd2a1f5653da9f0a65d71995b04b375865ff0e00ce370c8b
Opcode Fuzzy Hash: 06c516b26ec5fa7d22355bd5495ac680363c089af503620df7772ba90fd68eb7
Instruction Fuzzy Hash: 4B017B61A0EB890FE7526A386C614757FA0DFD1284B0906FBE888C20FBD9085A45C392

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SharkHack.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SharkHack.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jobpvtc.qrm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dor5zdu.dbj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jm2rhxe.aiu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54psllgw.pc5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amcll5wn.bh2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cex1hau3.gom.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foe252ax.z00.ps1

Windows Analysis Report
SharkHack.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre