Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe renamed because original name is a hash value
Original sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO66158152 WKH2406122.scr.exe
Analysis ID:	1519263
MD5:	c9f0c69a4cd0b678f239a9e7aae10202
SHA1:	e2ae9b8c6074e9dbfe76a9a65e7d0ca8367ccc20
SHA256:	5b18e86b916afe8f7f7e4ced40194c8a24b4c731bbbe175b52485de2a6b0bbb2
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 104.250.180.178
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 7061
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <123456789>
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XWorm V5.2
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: USB.exe
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: %AppData%
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yPhv.pdbSHA256 source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr
Source:	Binary string: yPhv.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49741 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49741 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49741 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 104.250.180.178:7061

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 0000000C.00000002.1931436415.0000000008743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micr.
Source: powershell.exe, 00000007.00000002.1804108576.00000000074DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.1762650445.000000000715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.dgx
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_00EFDE4C	0_2_00EFDE4C
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF7368	0_2_04DF7368
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF0040	0_2_04DF0040
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF0007	0_2_04DF0007
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF1090	0_2_04DF1090
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF7358	0_2_04DF7358
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF9D47	0_2_04DF9D47
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D144C7	3_2_00D144C7
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D14AC0	3_2_00D14AC0
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D11458	3_2_00D11458
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D11A68	3_2_00D11A68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0443B490	4_2_0443B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08523E98	4_2_08523E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8B490	7_2_02F8B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8B470	7_2_02F8B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F81FBD	7_2_02F81FBD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307B490	9_2_0307B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307B470	9_2_0307B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032BB490	12_2_032BB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032BB470	12_2_032BB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08BA3E98	12_2_08BA3E98

Sample file is different than original file name gathered from version info

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000000.1678175059.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701925085.00000000071C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1694041318.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1697581417.0000000003919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4170437401.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4172944980.0000000005B19000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Uses 32bit PE files

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/21@0/1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t

Source: unknown	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.kpaiBhymIJGBuLt851gqZoLAoD2fiZkc0DA3Lc823wxxdIa6PYsvKZlA56OH12YQ41sSLHjT4iWQJiKp8tggB2I54feK1c86Mqm,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.zZbnUIep0vWxKxGVBok7L3PrzjZoEnwL0TSMXbwigCiaVp6nuwuxywUGaEN9dKldJ3TrYBoPGwVErMlqUaYHm6AAkBixXvLS97V,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw._1fd035fDiEoy57pBpWpWQTfLABgAwu559F98CfIdCDdRJ74x4qfREzt6LaVDN65xSX6mXNev2t5WO73ujfaH60MUncnZRoGV4vj,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.IW9FNA672lsDi2tCYs0XmXfyWkYhTHM1nl8C6baQ9lTI8YY8Qyto5zkIeoHh2Zcqmqyiuv94riMmQCcGwepP0z2tUnSyyl1yoCb,LQsPA89PDgnCWG85KTzaHUxHxV.WufUBprPTFHXMI553kXybp9FaY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9CLWboLL8arHgBpNMCHih5iKc1[2],LQsPA89PDgnCWG85KTzaHUxHxV.WL37fsRxQxlu6tAK1xjQRngPmh(Convert.FromBase64String(_9CLWboLL8arHgBpNMCHih5iKc1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _9CLWboLL8arHgBpNMCHih5iKc1[2] }}, (string[])null, (Type[])null, (bool[])null, true)

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.54e0000.5.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: XClient.exe.3.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3b05570.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8629D push eax; ret	7_2_02F86351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8633D push eax; ret	7_2_02F86351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307632D push eax; ret	9_2_03076341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_03073A9C push ebx; retf	9_2_03073ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032B629D push eax; ret	12_2_032B6351

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: section name: .text entropy: 7.792568924601146
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.792568924601146

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 8B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 9478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7006	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2768	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1600	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7922	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7100	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2630	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1047

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 7124	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 2000	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 2000	Thread sleep count: 9478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 1600 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 7922 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 7100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 2630 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5600	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: Yara match	File source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7156, type: MEMORYSTR

ID:	1519263
Product:	CloudBasic
Start time:	09:28:37
Start date:	26.09.2024
Sample:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c9f0c69a4cd0b678f239a9e7aae10202
SHA1:	e2ae9b8c6074e9dbfe76a9a65e7d0ca8367ccc20
SHA256:	5b18e86b916afe8f7f7e4ced40194c8a24b4c731bbbe175b52485de2a6b0bbb2
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	1F82C60AA85E60E61C4A04C0D499EC02	B7D0189CD0D580E7B0FC6AD1129CD2D41D22D34D	6ECEF0FFDB1FF7C6BC74AA5C63898D3BF274B6DD64B5A590E88C2578853AEEEE
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ekzbwv0.p1r.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wjuv0yg.gdq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45trmmj0.et1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4affsnnl.cx0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4k4ffrjg.rsw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d2ki1vs.kv5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp2etgf2.dg3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqkphgh1.ems.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esz3eelj.ihu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghjd1qdr.q0h.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ji3rva4a.kx0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l52mmcxd.dra.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1wssa4w.kiu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nobnflej.mbh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voj25otp.zt1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z53vlonu.rh4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 26 06:29:55 2024, mtime=Thu Sep 26 06:29:55 2024, atime=Thu Sep 26 06:29:55 2024, length=467456, window=hide	90077EB2380C3B64872D35EB6004BCCB	5BC8DEAB9D6348C1A7139FC062D99D8ADF4565EA	0FD147D5E4F068A37F938A6233BCFEBB86CE97DDCD2E4B4011A8FCA65A6B0BBE
C:\Users\user\AppData\Roaming\XClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C9F0C69A4CD0B678F239A9E7AAE10202	E2AE9B8C6074E9DBFE76A9A65E7D0CA8367CCC20	5B18E86B916AFE8F7F7E4CED40194C8A24B4C731BBBE175B52485DE2A6B0BBB2

Windows Analysis Report DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Malware Threat Intel
Provided by