Edit tour

Windows Analysis Report
A39tzaySzX.exe

Overview

General Information

Sample name:	A39tzaySzX.exe renamed because original name is a hash value
Original sample name:	40e2d1401d62feb1971eb8e5f216ef1231199e58cd4c55692b3ba048ed13fb87.exe
Analysis ID:	1527485
MD5:	22f8e7b6bee7261893c506edf6ad4f5d
SHA1:	0b3500c4f645cc80dff09acf2a14817a1258b7b6
SHA256:	40e2d1401d62feb1971eb8e5f216ef1231199e58cd4c55692b3ba048ed13fb87
Tags:	exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

A39tzaySzX.exe (PID: 2148 cmdline: "C:\Users\user\Desktop\A39tzaySzX.exe" MD5: 22F8E7B6BEE7261893C506EDF6AD4F5D)

powershell.exe (PID: 4744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'A39tzaySzX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1644 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RuntimeBroker (PID: 5668 cmdline: C:\Users\user\AppData\Roaming\RuntimeBroker MD5: 22F8E7B6BEE7261893C506EDF6AD4F5D)

RuntimeBroker (PID: 5416 cmdline: C:\Users\user\AppData\Roaming\RuntimeBroker MD5: 22F8E7B6BEE7261893C506EDF6AD4F5D)

OpenWith.exe (PID: 2472 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

svchost.exe (PID: 5552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

OpenWith.exe (PID: 3056 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["introduction-husband.gl.at.ply.gg"], "Port": "7632", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
A39tzaySzX.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
A39tzaySzX.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
A39tzaySzX.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
A39tzaySzX.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x917f:$s6: VirtualBox 0x90dd:$s8: Win32_ComputerSystem 0x9e7f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9f1c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa031:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x97d7:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\RuntimeBroker	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\RuntimeBroker	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\RuntimeBroker	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\RuntimeBroker	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x917f:$s6: VirtualBox 0x90dd:$s8: Win32_ComputerSystem 0x9e7f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9f1c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa031:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x97d7:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8f7f:$s6: VirtualBox 0x8edd:$s8: Win32_ComputerSystem 0x9c7f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9d1c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9e31:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95d7:$cnc4: POST / HTTP/1.1
Process Memory Space: A39tzaySzX.exe PID: 2148	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: A39tzaySzX.exe PID: 2148	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.A39tzaySzX.exe.310000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.A39tzaySzX.exe.310000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.A39tzaySzX.exe.310000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.A39tzaySzX.exe.310000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x917f:$s6: VirtualBox 0x90dd:$s8: Win32_ComputerSystem 0x9e7f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9f1c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa031:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x97d7:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A39tzaySzX.exe", ParentImage: C:\Users\user\Desktop\A39tzaySzX.exe, ParentProcessId: 2148, ParentProcessName: A39tzaySzX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', ProcessId: 4744, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A39tzaySzX.exe", ParentImage: C:\Users\user\Desktop\A39tzaySzX.exe, ParentProcessId: 2148, ParentProcessName: A39tzaySzX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', ProcessId: 4744, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RuntimeBroker, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\A39tzaySzX.exe, ProcessId: 2148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\RuntimeBroker, CommandLine: C:\Users\user\AppData\Roaming\RuntimeBroker, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RuntimeBroker, NewProcessName: C:\Users\user\AppData\Roaming\RuntimeBroker, OriginalFileName: C:\Users\user\AppData\Roaming\RuntimeBroker, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\RuntimeBroker, ProcessId: 5668, ProcessName: RuntimeBroker

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\A39tzaySzX.exe, ProcessId: 2148, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A39tzaySzX.exe", ParentImage: C:\Users\user\Desktop\A39tzaySzX.exe, ParentProcessId: 2148, ParentProcessName: A39tzaySzX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", ProcessId: 1644, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A39tzaySzX.exe", ParentImage: C:\Users\user\Desktop\A39tzaySzX.exe, ParentProcessId: 2148, ParentProcessName: A39tzaySzX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe', ProcessId: 4744, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5552, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A39tzaySzX.exe", ParentImage: C:\Users\user\Desktop\A39tzaySzX.exe, ParentProcessId: 2148, ParentProcessName: A39tzaySzX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker", ProcessId: 1644, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: A39tzaySzX.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: A39tzaySzX.exe

Malware Configuration Extractor: Xworm {"C2 url": ["introduction-husband.gl.at.ply.gg"], "Port": "7632", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: A39tzaySzX.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: A39tzaySzX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: A39tzaySzX.exe	String decryptor: introduction-husband.gl.at.ply.gg
Source: A39tzaySzX.exe	String decryptor: 7632
Source: A39tzaySzX.exe	String decryptor: 12345
Source: A39tzaySzX.exe	String decryptor: <Xwormmm>
Source: A39tzaySzX.exe	String decryptor: test
Source: A39tzaySzX.exe	String decryptor: USB.exe
Source: A39tzaySzX.exe	String decryptor: %AppData%
Source: A39tzaySzX.exe	String decryptor: RuntimeBroker

Source: A39tzaySzX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: A39tzaySzX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: introduction-husband.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49966 -> 147.185.221.23:7632

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: introduction-husband.gl.at.ply.gg

Source: powershell.exe, 00000005.00000002.2240792986.000001C9AA8D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242814738.000001C9AAAED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000008.00000002.2393361752.000002715A3B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000008.00000002.2393361752.000002715A3B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000008.00000002.2393189735.000002715A220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000002.00000002.2126403239.000002583B66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000012.00000002.3262855235.00000224EB690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: A39tzaySzX.exe, RuntimeBroker.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.2118683281.0000025832F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2226024336.000001C9A2470000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2372336268.0000027151C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2094750734.00000258230F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: A39tzaySzX.exe, 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2094750734.0000025822ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2094750734.00000258230F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.2606311818.000002DE7E688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000002.00000002.2126403239.000002583B66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coE
Source: powershell.exe, 00000002.00000002.2125483519.000002583B3D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000002.00000002.2094750734.0000025822ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000012.00000003.2762525021.00000224EB450000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2124721847.000002583B391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co?
Source: powershell.exe, 00000002.00000002.2118683281.0000025832F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2226024336.000001C9A2470000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2372336268.0000027151C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.18.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: A39tzaySzX.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: RuntimeBroker.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: A39tzaySzX.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E8155E	0_2_00007FF848E8155E
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E892E9	0_2_00007FF848E892E9
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E86AA1	0_2_00007FF848E86AA1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E81F41	0_2_00007FF848E81F41
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E85CF1	0_2_00007FF848E85CF1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E89CDD	0_2_00007FF848E89CDD
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E81CA5	0_2_00007FF848E81CA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F330E9	5_2_00007FF848F330E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F62E11	8_2_00007FF848F62E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F630E9	10_2_00007FF848F630E9
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Code function: 15_2_00007FF848E5155F	15_2_00007FF848E5155F
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Code function: 15_2_00007FF848E51CA5	15_2_00007FF848E51CA5
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Code function: 16_2_00007FF848E8155E	16_2_00007FF848E8155E
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Code function: 16_2_00007FF848E81CA5	16_2_00007FF848E81CA5

Source: A39tzaySzX.exe, 00000000.00000000.2014657464.000000000031E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs A39tzaySzX.exe
Source: A39tzaySzX.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs A39tzaySzX.exe

Source: A39tzaySzX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: A39tzaySzX.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: A39tzaySzX.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: A39tzaySzX.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: A39tzaySzX.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RuntimeBroker.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: A39tzaySzX.exe, Settings.cs	Base64 encoded string: 'wY0fsZP7MXJ1lyx9yoOjEKmnF9+ycq1IKQOV+6vXS4tAZ2q6vUCVQ0HMM14YADJb'
Source: RuntimeBroker.0.dr, Settings.cs	Base64 encoded string: 'wY0fsZP7MXJ1lyx9yoOjEKmnF9+ycq1IKQOV+6vXS4tAZ2q6vUCVQ0HMM14YADJb'

Source: A39tzaySzX.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: A39tzaySzX.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: RuntimeBroker.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: RuntimeBroker.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/25@2/3

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Mutant created: \Sessions\1\BaseNamedObjects\spulzv1Fsz05jkqg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: A39tzaySzX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: A39tzaySzX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A39tzaySzX.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File read: C:\Users\user\Desktop\A39tzaySzX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\A39tzaySzX.exe "C:\Users\user\Desktop\A39tzaySzX.exe"
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'A39tzaySzX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'A39tzaySzX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker"	Jump to behavior

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: RuntimeBroker.lnk.0.dr

LNK file: ..\..\..\..\..\RuntimeBroker

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: A39tzaySzX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: A39tzaySzX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: A39tzaySzX.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: A39tzaySzX.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: A39tzaySzX.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: A39tzaySzX.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: A39tzaySzX.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: A39tzaySzX.exe, Messages.cs	.Net Code: Memory
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: RuntimeBroker.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E87BB1 push E95D8DC9h; ret	0_2_00007FF848E87C79
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E87C2D push E95D8DC9h; ret	0_2_00007FF848E87C79
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Code function: 0_2_00007FF848E8000A pushad ; iretd	0_2_00007FF848E800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D4D2A5 pushad ; iretd	2_2_00007FF848D4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E600BD pushad ; iretd	2_2_00007FF848E600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F30835 pushfd ; retf	2_2_00007FF848F30837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F32316 push 8B485F94h; iretd	2_2_00007FF848F3231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F32185 pushfd ; retf	2_2_00007FF848F32187
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848D4D2A5 pushad ; iretd	5_2_00007FF848D4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848E600BD pushad ; iretd	5_2_00007FF848E600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F30835 pushfd ; retf	5_2_00007FF848F30837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F32316 push 8B485F94h; iretd	5_2_00007FF848F3231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F32185 pushfd ; retf	5_2_00007FF848F32187
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F38588 push eax; retf	5_2_00007FF848F38589
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848D7D2A5 pushad ; iretd	8_2_00007FF848D7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F60835 pushfd ; retf	8_2_00007FF848F60837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F62316 push 8B485F91h; iretd	8_2_00007FF848F6231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F62185 pushfd ; retf	8_2_00007FF848F62187
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848D7D2A5 pushad ; iretd	10_2_00007FF848D7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F62316 push 8B485F91h; iretd	10_2_00007FF848F6231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F62185 pushfd ; retf	10_2_00007FF848F62187

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker

Jump to dropped file

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker"

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Jump to behavior

Source: C:\Users\user\Desktop\A39tzaySzX.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Jump to behavior

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker			Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: A39tzaySzX.exe, 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: A39tzaySzX.exe, RuntimeBroker.0.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Memory allocated: 2310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Memory allocated: 1A960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Memory allocated: 1B070000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Window / User API: threadDelayed 3899	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Window / User API: threadDelayed 5938	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6631	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3159	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7622	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7760	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1786	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6934
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2681

Source: C:\Users\user\Desktop\A39tzaySzX.exe TID: 2436	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5508	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1632	Thread sleep count: 7760 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep count: 1786 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6688	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep count: 6934 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep count: 2681 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\RuntimeBroker TID: 1568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\RuntimeBroker TID: 5544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4432	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\A39tzaySzX.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\A39tzaySzX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Thread delayed: delay time: 922337203685477

Source: RuntimeBroker.0.dr	Binary or memory string: vmware
Source: svchost.exe, 00000012.00000002.3262643662.00000224EB620000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3261036969.00000224E602B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3262780986.00000224EB65A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: A39tzaySzX.exe, 00000000.00000002.3273361551.000000001B472000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Code function: 0_2_00007FF848E87631 CheckRemoteDebuggerPresent,

0_2_00007FF848E87631

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Process token adjusted: Debug

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'A39tzaySzX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker"	Jump to behavior

Source: A39tzaySzX.exe, 00000000.00000002.3266030473.0000000002642000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: A39tzaySzX.exe, 00000000.00000002.3266030473.0000000002642000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: A39tzaySzX.exe, 00000000.00000002.3266030473.0000000002642000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: A39tzaySzX.exe, 00000000.00000002.3266030473.0000000002642000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: A39tzaySzX.exe, 00000000.00000002.3266030473.0000000002642000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\A39tzaySzX.exe	Queries volume information: C:\Users\user\Desktop\A39tzaySzX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\A39tzaySzX.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker VolumeInformation
Source: C:\Users\user\AppData\Roaming\RuntimeBroker	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation

Source: C:\Users\user\Desktop\A39tzaySzX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Source: A39tzaySzX.exe, 00000000.00000002.3260745216.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, A39tzaySzX.exe, 00000000.00000002.3273361551.000000001B4BF000.00000004.00000020.00020000.00000000.sdmp, A39tzaySzX.exe, 00000000.00000002.3273361551.000000001B50A000.00000004.00000020.00020000.00000000.sdmp, A39tzaySzX.exe, 00000000.00000002.3273361551.000000001B546000.00000004.00000020.00020000.00000000.sdmp, A39tzaySzX.exe, 00000000.00000002.3273361551.000000001B472000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\A39tzaySzX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: A39tzaySzX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.A39tzaySzX.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A39tzaySzX.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	111 Obfuscated Files or Information	Security Account Manager	551 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	161 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
A39tzaySzX.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
A39tzaySzX.exe	100%	Avira	TR/Spy.Gen
A39tzaySzX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\RuntimeBroker	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\RuntimeBroker	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RuntimeBroker	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown
introduction-husband.gl.at.ply.gg	147.185.221.23	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
introduction-husband.gl.at.ply.gg	true		unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.microsoft.coE	powershell.exe, 00000002.00000002.2126403239.000002583B66C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2118683281.0000025832F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2226024336.000001C9A2470000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2372336268.0000027151C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2094750734.00000258230F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000002.00000002.2126403239.000002583B66C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000008.00000002.2393361752.000002715A3B6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.microsoft.co?	powershell.exe, 00000002.00000002.2124721847.000002583B391000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000012.00000002.3262855235.00000224EB690000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000012.00000003.2762525021.00000224EB450000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/Prod/C:	edb.log.18.dr, qmgr.db.18.dr	false		unknown
http://crl.m	powershell.exe, 00000005.00000002.2240792986.000001C9AA8D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242814738.000001C9AAAED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2094750734.00000258230F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66369000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2118683281.0000025832F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2226024336.000001C9A2470000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2372336268.0000027151C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2581049960.000002DE761AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://.VisualC	powershell.exe, 00000002.00000002.2125483519.000002583B3D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micft.cMicRosof	powershell.exe, 00000008.00000002.2393361752.000002715A3B6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2094750734.0000025822ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.c	powershell.exe, 0000000A.00000002.2606311818.000002DE7E688000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	A39tzaySzX.exe, 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2094750734.0000025822ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2162176332.000001C992401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2282321082.0000027141BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439226360.000002DE66141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micros	powershell.exe, 00000008.00000002.2393189735.000002715A220000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
147.185.221.23	introduction-husband.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527485
Start date and time:	2024-10-07 00:51:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	A39tzaySzX.exe renamed because original name is a hash value
Original Sample Name:	40e2d1401d62feb1971eb8e5f216ef1231199e58cd4c55692b3ba048ed13fb87.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/25@2/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBroker, PID 5416 because it is empty
Execution Graph export aborted for target RuntimeBroker, PID 5668 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4744 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5580 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6460 because it is empty
Execution Graph export aborted for target powershell.exe, PID 748 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: A39tzaySzX.exe

Simulations

Behavior and APIs

Time	Type	Description
00:52:56	Task Scheduler	Run new task: RuntimeBroker path: C:\Users\user\AppData\Roaming\RuntimeBroker
00:52:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker
00:53:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker
00:53:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk
18:51:58	API Interceptor	56x Sleep call for process: powershell.exe modified
18:52:54	API Interceptor	277x Sleep call for process: A39tzaySzX.exe modified
18:53:05	API Interceptor	2x Sleep call for process: OpenWith.exe modified
18:53:06	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SOA-injazfe-10424.vbs	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	8QBpLkbY6i.exe	Get hash	malicious	WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country
	BootstrapperV1.19.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	NewLoaderCracks_1.32.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SOA-injazfe-10424.vbs	Get hash	malicious	XWorm	Browse	208.95.112.1
	8QBpLkbY6i.exe	Get hash	malicious	WhiteSnake Stealer	Browse	208.95.112.1
	BootstrapperV1.19.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	NewLoaderCracks_1.32.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	qtYuyATh0U.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SOA-injazfe-10424.vbs	Get hash	malicious	XWorm	Browse	208.95.112.1
	8QBpLkbY6i.exe	Get hash	malicious	WhiteSnake Stealer	Browse	208.95.112.1
	BootstrapperV1.19.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	NewLoaderCracks_1.32.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
SALSGIVERUS	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	H1N45BQJ8x.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	r4RF3TX5Mi.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	BootstrapperV1.19.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	ra66DSpa.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	tMREqVW0.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	wSVyC8FY.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	eFvQTTtxej.exe	Get hash	malicious	Njrat	Browse	147.185.221.22
	Q5N7WOpk8J.bat	Get hash	malicious	Unknown	Browse	147.185.221.21

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.830713561635632
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugJ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFL
MD5:	F7AB1486137E30DBE4E51677AAACFE80
SHA1:	4F90214FB86496BC8B8F9F1D4BE0AA91BB825AD6
SHA-256:	AEAE5013B26C38DBFABDD838303B61A5E7F3E3C1AFF0C789950A03DD206C6506
SHA-512:	5A535813065F0E43573A9A41EE917FE3BC57F2D9AB12C6C7303D13EBA33ADB30375F0BE846AB45542479DB92CF13015B5700992ADEAE6C26732134AC3FA79DB0
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4d300deb, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585964043946366
Encrypted:	false
SSDEEP:	1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	E25DB9EF7177F8DDC0ABEB5C1DEA8749
SHA1:	62C3B11D895E03380B1B64067478E6583D8DDE50
SHA-256:	FD29B4A5FC0F13C51DFDC09FB8ED327647973C612FCF66E42A47122B59DAC139
SHA-512:	848E7A7DA75FE17A07A9BB20C1A9FA1DF0E63BFFD793ACFBE190983A86FA82CC0F5C6179EBDBE61AE9C4BC20D7553442CF31F49F085EDCFDBE791739EA5CB1D2
Malicious:	false
Preview:	M0..... ...............X\...;...{......................0.z..........{...5...\|S.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.....................................5...\|s.................rr'..5...\|S..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08077850062514216
Encrypted:	false
SSDEEP:	3:TL6YeUmTZ2kurAkGuAJkhvekl1q3UvIxll/allrekGltll/SPj:36zZ3urbrxlgEvGIJe3l
MD5:	0C121863C162294E5752B2A18A0EB7A3
SHA1:	9F4AFBEBBE448BE98BF254A92FE2EDC7A160F805
SHA-256:	17C1CEECFC8BF72873F4134BDD7454FD9832ECE66ABF79B3E3057FF7AEFB02BE
SHA-512:	0D70B1AF3D850D7857264728A6B7E9D7DEB70AD931285DD600807676BA217D6A2F74F33758CC132CAF93E4688E5DFBAEA8AF19BBDE114FE2D2B640497A78D40E
Malicious:	false
Preview:	...V.....................................;...{...5...\|S......{...............{.......{...XL......{..................rr'..5...\|S.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\A39tzaySzX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tdgr3hb.0fn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5de3i03c.xsb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pu0ct2r.ayt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glbjohkb.xhi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imzmhffo.ocj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iunublzp.mn4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmfv4cuf.f1l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot5rexhx.zqm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qforbnhn.am5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sioqhl1m.u4b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svxst01h.e12.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmbju4kw.omc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsdhun0f.gv2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzydpe4z.rta.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjws4u5w.k1e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyw3ajrf.odi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Download File

Process:	C:\Users\user\Desktop\A39tzaySzX.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 6 21:52:54 2024, mtime=Sun Oct 6 21:52:54 2024, atime=Sun Oct 6 21:52:54 2024, length=46592, window=hide
Category:	dropped
Size (bytes):	773
Entropy (8bit):	5.034944319988458
Encrypted:	false
SSDEEP:	12:8StPgZ64fZVY088C8LlsY//8DYLw5yo9gSKjA4HgLhS8YxRmV:8/fcf87LZUDaAyS2ALhS8qRm
MD5:	506914279E5FEA9FD17D5D7011A7C7DE
SHA1:	C8366C26224C81662E86AA59CDB936A7C1C544BB
SHA-256:	62F0237E7AF18C7DB9B4497BDD1CCE7A400A4E1E5D10DF00694623FA07DFE778
SHA-512:	DBE0F144E71AFA8F4DCA5C6E2FD67C8CD3FFA9C9C334C17745D47290BD3C5A12182515ACC3A219D95BB0946435F086620B3D2D83710A0EE0D9E4695642888D13
Malicious:	false
Preview:	L..................F.... ...&..zB...&..zB...&..zB...........................x.:..DG..Yr?.D..U..k0.&...&...... M.......pQB...9..zB.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlFYy.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....FYw...Roaming.@......DWSlFYw.....C........................R.o.a.m.i.n.g.....d.2.....FY.. .RUNTIM~1..L......FY..FY.......(.....................u..R.u.n.t.i.m.e.B.r.o.k.e.r.......\...............-.......[............cG~.....C:\Users\user\AppData\Roaming\RuntimeBroker........\.....\.....\.....\.....\.R.u.n.t.i.m.e.B.r.o.k.e.r.`.......X.......642294...........hT..CrF.f4... .u...5....,...W..hT..CrF.f4... .u...5....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\RuntimeBroker

Download File

Process:	C:\Users\user\Desktop\A39tzaySzX.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.619945915738187
Encrypted:	false
SSDEEP:	768:jrafOzvjxS1aT3YVAPlVufu4MVouVj9mddTbFEPa9pHWlkwV6vOChszji34U:jr0ijxI+lkyVHoPFJ9VS36vOCWeoU
MD5:	22F8E7B6BEE7261893C506EDF6AD4F5D
SHA1:	0B3500C4F645CC80DFF09ACF2A14817A1258B7B6
SHA-256:	40E2D1401D62FEB1971EB8E5F216EF1231199E58CD4C55692B3BA048ED13FB87
SHA-512:	74C70B49B3CBBDF6E4BF7CE7AD7DDE3EA1341F21027615256D439578846148964BC7C723308BE2236D95A74ED242A20647AB15F91934E34B8D49005185674F89
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].g................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........j..<a............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.619945915738187
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	A39tzaySzX.exe
File size:	46'592 bytes
MD5:	22f8e7b6bee7261893c506edf6ad4f5d
SHA1:	0b3500c4f645cc80dff09acf2a14817a1258b7b6
SHA256:	40e2d1401d62feb1971eb8e5f216ef1231199e58cd4c55692b3ba048ed13fb87
SHA512:	74c70b49b3cbbdf6e4bf7ce7ad7dde3ea1341f21027615256d439578846148964bc7c723308be2236d95a74ed242a20647ab15f91934e34b8d49005185674f89
SSDEEP:	768:jrafOzvjxS1aT3YVAPlVufu4MVouVj9mddTbFEPa9pHWlkwV6vOChszji34U:jr0ijxI+lkyVHoPFJ9VS36vOCWeoU
TLSH:	C3234A493BE40615EAFFABF9287366060771A9134D13D79D0CD94A9A2F37B808E40BD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].g................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cbae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67015DCF [Sat Oct 5 15:39:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb54	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabb4	0xac00	1e9610ca7e862c5bb656398dd5191bb8	False	0.4836028343023256	data	5.725886423976654	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x4d8	0x600	f6c47cdb3f8d3f5690c13498a6c8249d	False	0.3756510416666667	data	3.7216503306685733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	0e2aa914b3d3cbf405fd45597258aa8a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xe2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 00:51:56.498827934 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:51:56.505424023 CEST	80	49704	208.95.112.1	192.168.2.5
Oct 7, 2024 00:51:56.505670071 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:51:56.507294893 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:51:56.513729095 CEST	80	49704	208.95.112.1	192.168.2.5
Oct 7, 2024 00:51:57.002772093 CEST	80	49704	208.95.112.1	192.168.2.5
Oct 7, 2024 00:51:57.045623064 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:52:51.587018013 CEST	80	49704	208.95.112.1	192.168.2.5
Oct 7, 2024 00:52:51.587090969 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:52:55.386508942 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:52:55.393575907 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:52:55.393670082 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:52:55.712786913 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:52:55.718697071 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:06.347436905 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:06.354279995 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:16.639722109 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:16.644536018 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:16.779208899 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:16.779287100 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:18.467576981 CEST	49966	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:18.468986034 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:18.472317934 CEST	7632	49966	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:18.473725080 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:18.474302053 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:18.523458004 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:18.528314114 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:28.545684099 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:28.554264069 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:37.016678095 CEST	49704	80	192.168.2.5	208.95.112.1
Oct 7, 2024 00:53:37.025336981 CEST	80	49704	208.95.112.1	192.168.2.5
Oct 7, 2024 00:53:38.577471972 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:38.583543062 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:39.877338886 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:39.877464056 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:40.326952934 CEST	49985	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:40.329046011 CEST	49986	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:40.334126949 CEST	7632	49985	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:40.335870028 CEST	7632	49986	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:40.335994005 CEST	49986	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:40.366849899 CEST	49986	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:40.373742104 CEST	7632	49986	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:52.373997927 CEST	49986	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:52.379170895 CEST	7632	49986	147.185.221.23	192.168.2.5
Oct 7, 2024 00:53:59.357012987 CEST	49986	7632	192.168.2.5	147.185.221.23
Oct 7, 2024 00:53:59.361785889 CEST	7632	49986	147.185.221.23	192.168.2.5
Oct 7, 2024 00:54:01.715792894 CEST	7632	49986	147.185.221.23	192.168.2.5
Oct 7, 2024 00:54:01.715902090 CEST	49986	7632	192.168.2.5	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 00:51:56.476186037 CEST	65110	53	192.168.2.5	1.1.1.1
Oct 7, 2024 00:51:56.486793995 CEST	53	65110	1.1.1.1	192.168.2.5
Oct 7, 2024 00:52:55.347959042 CEST	59024	53	192.168.2.5	1.1.1.1
Oct 7, 2024 00:52:55.361877918 CEST	53	59024	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 00:51:56.476186037 CEST	192.168.2.5	1.1.1.1	0xa83	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 00:52:55.347959042 CEST	192.168.2.5	1.1.1.1	0x135a	Standard query (0)	introduction-husband.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 00:51:56.486793995 CEST	1.1.1.1	192.168.2.5	0xa83	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 7, 2024 00:52:55.361877918 CEST	1.1.1.1	192.168.2.5	0x135a	No error (0)	introduction-husband.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	2148	C:\Users\user\Desktop\A39tzaySzX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 00:51:56.507294893 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 7, 2024 00:51:57.002772093 CEST	175	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 22:51:55 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	18:51:52
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\A39tzaySzX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\A39tzaySzX.exe"
Imagebase:	0x310000
File size:	46'592 bytes
MD5 hash:	22F8E7B6BEE7261893C506EDF6AD4F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3266030473.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2014621962.0000000000312000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:51:56
Start date:	06/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\A39tzaySzX.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:51:56
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:52:04
Start date:	06/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'A39tzaySzX.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:52:04
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:52:16
Start date:	06/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:52:16
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:52:31
Start date:	06/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:52:31
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:52:54
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\user\AppData\Roaming\RuntimeBroker"
Imagebase:	0x7ff7503d0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:52:54
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:52:56
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\RuntimeBroker
Imagebase:	0x790000
File size:	46'592 bytes
MD5 hash:	22F8E7B6BEE7261893C506EDF6AD4F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:53:01
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\RuntimeBroker
Imagebase:	0xe50000
File size:	46'592 bytes
MD5 hash:	22F8E7B6BEE7261893C506EDF6AD4F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:53:05
Start date:	06/10/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff7b8450000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:53:06
Start date:	06/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	18:53:13
Start date:	06/10/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff7b8450000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848E89CDD Relevance: 4.4, Strings: 3, Instructions: 658
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FF848E8A48D
CAM_^, xrefs: 00007FF848E8A4B1
!, xrefs: 00007FF848E89D03

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID: !$B$CAM_^
API String ID: 0-1418108810
Opcode ID: c963acde7ef0e1d8e82052a3fd48ba7af0d8e3719a8501ecba45e7098ed7aa16
Instruction ID: 02f612e5f0d366397edb27ac97283dd422b2977220e689737a005e24a7f971f0
Opcode Fuzzy Hash: c963acde7ef0e1d8e82052a3fd48ba7af0d8e3719a8501ecba45e7098ed7aa16
Instruction Fuzzy Hash: 34327270A18A095FEB88EF2884997BDBBE2FF88354F54457DD00DD3292DF74A8818B45

Function 00007FF848E892E9 Relevance: 3.8, Strings: 2, Instructions: 1333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FF848E8A4B1
6, xrefs: 00007FF848E8A703

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID: 6$CAM_^
API String ID: 0-2259320755
Opcode ID: 1472c3cdac6b58b24e68590636934e08b577fbd764d05b815df2ce783e56ab46
Instruction ID: 145a5580abc1b5db91783930f13e95c6a526cdf8757613341f329c89aa53d151
Opcode Fuzzy Hash: 1472c3cdac6b58b24e68590636934e08b577fbd764d05b815df2ce783e56ab46
Instruction Fuzzy Hash: E4A28F70A18A099FEB88EF28C49577DB7E2FF88754F544579D00DD3292DF38A8818B42

Function 00007FF848E8155E Relevance: 1.8, Strings: 1, Instructions: 569
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M_H, xrefs: 00007FF848E81A74

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID: M_H
API String ID: 0-1939843538
Opcode ID: ad96c6294f8b166493883ad69adcc32fcb91fd187face260926ddbe1d44efe22
Instruction ID: e3582758b429b9584d6bd5e57e7d1f3c877b371b6e356e66b2c2f5ed4ea1ff9b
Opcode Fuzzy Hash: ad96c6294f8b166493883ad69adcc32fcb91fd187face260926ddbe1d44efe22
Instruction Fuzzy Hash: 2A02D060B2CE495FE798FB2C849667DB7D2FF98780F484579D04EC3282DE38A8414B46

Function 00007FF848E87631 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF848E876E0

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 913cefe7fa057fc4be2d9e69101bd29c9c407343e1aaf3924dae1d9efe9817c5
Instruction ID: 1ee516e2a807e263114b8568f3cf72ebd3b07c9e79f70189805833677784bdf8
Opcode Fuzzy Hash: 913cefe7fa057fc4be2d9e69101bd29c9c407343e1aaf3924dae1d9efe9817c5
Instruction Fuzzy Hash: 4C31F131808B5C8FCB59DF58884A6E97BE0FF65321F05426BD489D7292DB34A846CB91

Function 00007FF848E85CF1 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692c617a6fb6237b1298266f3b78d3af343fef57a61a7b6148c3f338eeafe6c1
Instruction ID: cb5ba11d4a2fc4b7388cd51f6f9ca3525aacc35c97753816020a490a9673b974
Opcode Fuzzy Hash: 692c617a6fb6237b1298266f3b78d3af343fef57a61a7b6148c3f338eeafe6c1
Instruction Fuzzy Hash: 50D1703091CA4E8FEBA8EF28C8557E977D1FB58340F54826EE80DC7295DF3499448B86

Function 00007FF848E81F41 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187db3a64987a803183140d386ed013e2e480a300580b7a15f136825ec26ab1
Instruction ID: c3188b1447c7d9104f289817de9a2c2687f9907ff956eab29fa270d1c5eb6ef7
Opcode Fuzzy Hash: f187db3a64987a803183140d386ed013e2e480a300580b7a15f136825ec26ab1
Instruction Fuzzy Hash: F6C18C20E1D94A9FEB98FB38845667D76D2FF98381F54417AD05EC3293DF38A8028746

Function 00007FF848E86AA1 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1746d8c593d0b83fe105286887b80c5c09ccc11e4e6c0f81a318ffb7d002f3
Instruction ID: 6324112b2641257d34b3fd1f69887f29f628419cd31c383964ff4ab985d776ed
Opcode Fuzzy Hash: af1746d8c593d0b83fe105286887b80c5c09ccc11e4e6c0f81a318ffb7d002f3
Instruction Fuzzy Hash: 65D17230A18A4D8FEBA8EF28C8597ED77D1FB58340F54862ED80DC72A5DF7499408B85

Function 00007FF848E81CA5 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0ebd504badaff5d102670b70195bd1b53d92958b9a98e91f47901e470d2f04
Instruction ID: c2811124614f632fa2586bdcfc531ce811d769235a35e33ae956cf30b3967671
Opcode Fuzzy Hash: 3b0ebd504badaff5d102670b70195bd1b53d92958b9a98e91f47901e470d2f04
Instruction Fuzzy Hash: 3E512520A1E6C95FD786A738586427ABFE1EF57256F0804FBE0C9C71D3DE281806C306

Function 00007FF848E88DF1 Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF848E8ABE2

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: ec5e5c3e134e00f9e0ff17eb92f91c8cb635d87bc2edca62b6b78af292020be4
Instruction ID: 5868adf42488f9da822ff30e3853c76926f1b357abdfb8ae489eaccbf701b6bf
Opcode Fuzzy Hash: ec5e5c3e134e00f9e0ff17eb92f91c8cb635d87bc2edca62b6b78af292020be4
Instruction Fuzzy Hash: 3E41223180D7988FD71AEB68D8456E97FF0EF52350F08016FD08AC7193DB286886C7A1

Function 00007FF848E8AB0D Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF848E8ABE2

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 5dfd2d4a63e9b86652410855e500c5539ac9936861b794c5df7660c696e48f77
Instruction ID: 2b05206c373f961fdefc862b3a81097cad294edfa9731fbf591c93a77beb5b0d
Opcode Fuzzy Hash: 5dfd2d4a63e9b86652410855e500c5539ac9936861b794c5df7660c696e48f77
Instruction Fuzzy Hash: 7541E53180C6498FD719DFA8D885BE97BF0FF56311F04416ED08AC3592DB74A886CB91

Function 00007FF848E8C348 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF848E8C411

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fdf200518c484ab72df1f301d83cd80b82b71bc6a189fa5ba1829c95db2b0319
Instruction ID: 5879a353d261908042685aad4b958ba8caf26c161b394139150f4beb5a8aa1ff
Opcode Fuzzy Hash: fdf200518c484ab72df1f301d83cd80b82b71bc6a189fa5ba1829c95db2b0319
Instruction Fuzzy Hash: 9C31063190CA4C4FDB58EB6C98066F9BBE1FB59321F04427ED049C3292CF74A85687C1

Function 00007FF848E88FB2 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF848E8C411

Memory Dump Source

Source File: 00000000.00000002.3281118258.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_A39tzaySzX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 86ff15de63a3f85ece5f7bc2ac14341e1c5a9e8b6a6e034f6aa9c1d2bcfb68fe
Instruction ID: 23615e4cffe54d0bbb22002e3308ffe6e2388b1688a7a177d4fc32006440faf7
Opcode Fuzzy Hash: 86ff15de63a3f85ece5f7bc2ac14341e1c5a9e8b6a6e034f6aa9c1d2bcfb68fe
Instruction Fuzzy Hash: 8531C131A1CA1C9FDB58EB58D8466B9B7E1EB99311F10423ED00AD3251CB70A8568BC5

Analysis Process: powershell.exePID: 4744, Parent PID: 2148COMMON

Executed Functions

Function 00007FF848F36605 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

X72, xrefs: 00007FF848F367FD

Memory Dump Source

Source File: 00000002.00000002.2129607513.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: X72
API String ID: 0-2612799129
Opcode ID: 0045880a29c300a29cc39573863bda6bd5276204c52f5258d5f30eaecbb43294
Instruction ID: 4468b3ca53bcfcbbbec95cb5b516bc905fd65cc9359a617ea56efee002c8de89
Opcode Fuzzy Hash: 0045880a29c300a29cc39573863bda6bd5276204c52f5258d5f30eaecbb43294
Instruction Fuzzy Hash: 3DD13131E0EB8A5FE79AAB2858555B57BE0EF0A394F1801FBD04DCB0D3EE18A805C355

Function 00007FF848E69D38 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

I", xrefs: 00007FF848E6A121

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID: I"
API String ID: 0-3729626156
Opcode ID: ddf5fb46d1ec3ffb351d45e17c56c63ca52c05ca660437777bf8ad6c8f33faad
Instruction ID: 32679adbd8670d4c9193e3d8ed67c2b92621e30b120f7c45aac7376d473e37ff
Opcode Fuzzy Hash: ddf5fb46d1ec3ffb351d45e17c56c63ca52c05ca660437777bf8ad6c8f33faad
Instruction Fuzzy Hash: E9F0E27180CA8C8FCB41EF28886A4E47FE0FF25200F0401EBE44DC7061DB34A8A8C781

Function 00007FF848E6A042 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2584c8f7abba37299e53f56e5db984add233a6f1d7b4fc6a65230d95dff3d51e
Instruction ID: 5dcf83d960b365a2d696a2c9d04b3e77f4ce14898d51ed3101ca12645a72437d
Opcode Fuzzy Hash: 2584c8f7abba37299e53f56e5db984add233a6f1d7b4fc6a65230d95dff3d51e
Instruction Fuzzy Hash: D841B6A2C4DAC15FD75BA768A8660F53FA0FF13354F0D50F7D0C8CA0A3DA1868998756

Function 00007FF848E69758 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26e67036552a4d9f65cb99f2ba635c02ad34048a1d491bf69dff889db67205a
Instruction ID: c31d0836f0009612fed442aa32f5daf8653bd48b926bd71475143233a6ff060b
Opcode Fuzzy Hash: f26e67036552a4d9f65cb99f2ba635c02ad34048a1d491bf69dff889db67205a
Instruction Fuzzy Hash: 9731B53191CA489FDB1CAF5CA8466B97BE0FB99711F04422FE44993252DB30B856CBC6

Function 00007FF848D4E380 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2128392783.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82bdf5d502475e27d4ff1ea554d498f54f8211291f5503b091d1b1583751d44
Instruction ID: 35273860c97960f583c04c8b3216c5d6564f3acac8b15c22af1cf90b6d5a24e9
Opcode Fuzzy Hash: b82bdf5d502475e27d4ff1ea554d498f54f8211291f5503b091d1b1583751d44
Instruction Fuzzy Hash: 3441F27180EBC45FE7969B289845A523FF0EF52365F1505EFD088CB1A3D725E80AC792

Function 00007FF848E6A62C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66adb653890b0fd16ef4c5b134ff906a118ed9b540878ec57058a8d3a6edab1a
Instruction ID: f4454009e69d85f1004be22525d9470ee9353cc28692d1e5bd0cf88b5bd1770b
Opcode Fuzzy Hash: 66adb653890b0fd16ef4c5b134ff906a118ed9b540878ec57058a8d3a6edab1a
Instruction Fuzzy Hash: 0F21283190CB4C4FDB59DB6C984A7E97FF0EB96321F04416FD048C3152DA74A456CB92

Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45

Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2129607513.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
Instruction ID: 57a882c3c36b4ef86db58168bb7f768dc5b33a0debb4b92ef8783dfd518108ae
Opcode Fuzzy Hash: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
Instruction Fuzzy Hash: 0EF09A32A0D9058FD75AFB4CE4008A873E0FF64360B1100BBE01DC71A3CB26EC508798

Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2129607513.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
Instruction ID: 65a0861757c9372eeaee605e7e7156e1c08991d50eafe922db5738b2186dd28c
Opcode Fuzzy Hash: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
Instruction Fuzzy Hash: 07F0BE31A0D5448FD754EB4CE4408A8B7F0FF54320B1100F7E009C70A3DB26EC608754

Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2129607513.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

Non-executed Functions

Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF848E68C8A
N_^F, xrefs: 00007FF848E68C7A
N_^4, xrefs: 00007FF848E68BFA
N_^7, xrefs: 00007FF848E68C12

Memory Dump Source

Source File: 00000002.00000002.2128946268.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
Instruction ID: f18af481f557b0c005d2f7b16879bad207cd7bf6b81cc1df4859641e2e7b9136
Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
Instruction Fuzzy Hash: 29213BF76494257ED3097BBCFC145E93B40EF942B4B4941B2D298CF143EA1470868AD6

Analysis Process: powershell.exePID: 6460, Parent PID: 2148COMMON

Executed Functions

Function 00007FF848D4EE20 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

m^#, xrefs: 00007FF848D4EEB6

Memory Dump Source

Source File: 00000005.00000002.2246967444.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d4d000_powershell.jbxd

Similarity

API ID:
String ID: m^#
API String ID: 0-832144713
Opcode ID: 5f6432cb87d55cde95e2ae434db85b35367d03a8feb579acde22fb4b503eab36
Instruction ID: 69c5c89b21f8062bd00c6dd2d68dc15f6a20facab4bdb1c5256a1eaf88850c44
Opcode Fuzzy Hash: 5f6432cb87d55cde95e2ae434db85b35367d03a8feb579acde22fb4b503eab36
Instruction Fuzzy Hash: 7B41157180EBC45FE7969B389C41A523FF0EF52360F1505EFD088CB1A3D625A84AC7A2

Function 00007FF848F3660A Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252720830.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f0a45e9bb158fddbd289b8f500300e811c59a691db406c2fbfabfb284f7aad
Instruction ID: 851d60596959610c613fcd82678734e827161e8818f6f73d86e9b7d95788ad8f
Opcode Fuzzy Hash: 59f0a45e9bb158fddbd289b8f500300e811c59a691db406c2fbfabfb284f7aad
Instruction Fuzzy Hash: 99C13231E1EA8A5FE799AB2858155B57BE1EF05394F1801BFD40DCB0D3EE1CA8058355

Function 00007FF848E6A0D3 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73e73e7c0f3f8a283410a6474a940d2b7ce365f5828aeb57e51debf9de925ff
Instruction ID: 1b11dd9388ec188cfcb73fab06b6e0d8c37ca260c61885285e11944a1431fc48
Opcode Fuzzy Hash: b73e73e7c0f3f8a283410a6474a940d2b7ce365f5828aeb57e51debf9de925ff
Instruction Fuzzy Hash: 4421BBA680E7C54FD747AB78A8651E43FB0EF63254B0D00E7C088CF0A3DA185C89C7A2

Function 00007FF848F3662F Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252720830.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa8ee934ef92b91fd54fcaa55d369fb07571b41f9b947e4971857fe457702c1
Instruction ID: e4ab598959e4337c529977d388f1aeba8a20ba0fa8172c9428741e65ff43019f
Opcode Fuzzy Hash: afa8ee934ef92b91fd54fcaa55d369fb07571b41f9b947e4971857fe457702c1
Instruction Fuzzy Hash: 2881DF71E0EB8A5FE79AAB2858641747BE1EF16684F6900FBD04DCB1D3EE1C9C058319

Function 00007FF848E69D38 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c19a7d0d564d24206fb7af4b588eb15741164ae13d36bac804f49be90def22
Instruction ID: a3d6d6b92b0c4ea925fabba3796e3e62d1979c51a7e8c60192114b72070ea18b
Opcode Fuzzy Hash: d4c19a7d0d564d24206fb7af4b588eb15741164ae13d36bac804f49be90def22
Instruction Fuzzy Hash: 4F01D47190CA88CFDB92EF2898190A57FE0FF29200B4440BBD449CB0A2D735E954C782

Function 00007FF848E69780 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce24028d08046704e9361dfd67a6c104f88f612ecb0ef9a775ca8b98259111d2
Instruction ID: a27f0229937029baf9c95df4ab7a553751dd8cb9a3a5b76bbf69fcd02c4a8f76
Opcode Fuzzy Hash: ce24028d08046704e9361dfd67a6c104f88f612ecb0ef9a775ca8b98259111d2
Instruction Fuzzy Hash: 2231E73191CB888FDB19DB1C98066A97BF0FB99320F04426FE449D3252CB70B856CBC6

Function 00007FF848E6A64C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad249e955f9e80f975803f9021afc9c21aadac104a211cae3701585f77040fc7
Instruction ID: 2b5f3035818f3bd070afda3133bf7b2fe60480bf7ac50b76bae0b8e40cbd22a2
Opcode Fuzzy Hash: ad249e955f9e80f975803f9021afc9c21aadac104a211cae3701585f77040fc7
Instruction Fuzzy Hash: 6421283190CB8C4FDB59DB6C984A7E97FE0EB96321F04416BD048C3152DA74A456CB92

Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45

Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252720830.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
Instruction ID: 57a882c3c36b4ef86db58168bb7f768dc5b33a0debb4b92ef8783dfd518108ae
Opcode Fuzzy Hash: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
Instruction Fuzzy Hash: 0EF09A32A0D9058FD75AFB4CE4008A873E0FF64360B1100BBE01DC71A3CB26EC508798

Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252720830.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
Instruction ID: 65a0861757c9372eeaee605e7e7156e1c08991d50eafe922db5738b2186dd28c
Opcode Fuzzy Hash: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
Instruction Fuzzy Hash: 07F0BE31A0D5448FD754EB4CE4408A8B7F0FF54320B1100F7E009C70A3DB26EC608754

Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2252720830.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

Non-executed Functions

Function 00007FF848E68BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

N_^?, xrefs: 00007FF848E68C2A
N_^Q, xrefs: 00007FF848E68C8A
N_^K, xrefs: 00007FF848E68C6A
N_^N, xrefs: 00007FF848E68C72
N_^J, xrefs: 00007FF848E68C62
N_^<, xrefs: 00007FF848E68C12
N_^8, xrefs: 00007FF848E68BF2
N_^Y, xrefs: 00007FF848E68CBA

Memory Dump Source

Source File: 00000005.00000002.2252068204.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd

Similarity

API ID:
String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
API String ID: 0-2388461625
Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
Instruction ID: 922e27a44c4728726d6be0ad97921bddf139d38f6e9c7cf8ebecfd16ebed81f9
Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
Instruction Fuzzy Hash: 212107F3A899216EC30937BCBC515E86B81EF543B874941F3E218CF113DA24648B8A96

Analysis Process: powershell.exePID: 748, Parent PID: 2148COMMON

Executed Functions

Function 00007FF848F66605 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2399984405.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755ccd752b432a59d5ae12d152bbb97d61684c6f0c99862aa0cdfadae5c7f072
Instruction ID: fe09a40e8abbf179f0f7820040231a9f4a92a7be169cf00bb5843b633d189818
Opcode Fuzzy Hash: 755ccd752b432a59d5ae12d152bbb97d61684c6f0c99862aa0cdfadae5c7f072
Instruction Fuzzy Hash: BBD12631D1EA8A5FE79AAB3858145B57BA0EF16390F1802FED44DDB0D3EE1CA806C355

Function 00007FF848E99EF3 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b1fa2df19626bbec34eda3450d03faf8dfde1fbfc38baa677963ef0a2d0371
Instruction ID: 9dbb8631b74bc2af9eb3fca89a9810950036d4b12f0582f6b3c7bc2df06b30fa
Opcode Fuzzy Hash: 99b1fa2df19626bbec34eda3450d03faf8dfde1fbfc38baa677963ef0a2d0371
Instruction Fuzzy Hash: 0F81FB73D0D9869FF706BB6C98A60F577E0FF522ACF0D01F2C4888A093FE6518568659

Function 00007FF848D7E620 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2397752759.00007FF848D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848d7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149b1dc7ac06e85f59c44a5d9d01bda9be846629233eb6ab0f7fea06c6c6f03d
Instruction ID: 3ab04f79c83127d6ee5f303b7156682aa4227f78e54902294fa3157f0567e4ae
Opcode Fuzzy Hash: 149b1dc7ac06e85f59c44a5d9d01bda9be846629233eb6ab0f7fea06c6c6f03d
Instruction Fuzzy Hash: D941277180EBC44FE7569B389845A527FF0EF52360F1505DFD088CB1A3D625A84AC7A2

Function 00007FF848E99768 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98a0eb11137a14e77b0649ed0b9df24fd7189cee39d4d44d5a471753520139c
Instruction ID: 8d7be3a218ea6a7430d832fd8adc834fd98c3ee83cc113793d160e97ddcae2ba
Opcode Fuzzy Hash: a98a0eb11137a14e77b0649ed0b9df24fd7189cee39d4d44d5a471753520139c
Instruction Fuzzy Hash: A931E83191CA4C9FDB5CAF5CA84A6F97BE1FB99710F00422FE449D3251DB70A8568BC2

Function 00007FF848E9A47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f5d6627f899ef54cd0f63ccda77897188364ed44fb505173e31b72ef845c5b
Instruction ID: e5d68aaa876934b43d3068590b4bb30d54d47104e832e994042c8c2241b7c342
Opcode Fuzzy Hash: 66f5d6627f899ef54cd0f63ccda77897188364ed44fb505173e31b72ef845c5b
Instruction Fuzzy Hash: 7721283190CB4C8FDB59DBAC984A7E97FE0EB96320F04416BD048C3152DA74945ACB92

Function 00007FF848E933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 29c1cfa6bac51b81d075f13f06edf054ad2643bd55ff8ec3c5d015a1cc12a693
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 6C01677115CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45

Function 00007FF848F64148 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2399984405.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fb5bd3b0631311c9979e2a0c18ae8cf445ee600f9878c1659112ebcfbd8c4c
Instruction ID: dcedfbeb84dbd4666ab28db703d07b06526f387a12ef2733883f941306a934a1
Opcode Fuzzy Hash: 12fb5bd3b0631311c9979e2a0c18ae8cf445ee600f9878c1659112ebcfbd8c4c
Instruction Fuzzy Hash: C8F06732A0C5458FE69ABB1CA4009A877E0EF65360B1510BAE06DC71A3CB2AEC528758

Function 00007FF848F643FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2399984405.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d1a157a315954f04efa9709d35e199cf4e6c501ecd13976956ea2f8f621394
Instruction ID: 4d4bc54ea84b812793d06b4069ab2146d7a5d67ce4a3ad8e480eb941fc01b2f7
Opcode Fuzzy Hash: 59d1a157a315954f04efa9709d35e199cf4e6c501ecd13976956ea2f8f621394
Instruction Fuzzy Hash: 19F09A31A0C5458FEB95BB18A4419A877F0EF55360B1510F6E059C70A3DB2AAC618768

Function 00007FF848F641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2399984405.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 478f6b567d414c0c56ab44598f4de9510e26b0690043c0ae5f8f52ac250b5652
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: E9E01A31B0C8088FDA69EB0CE0409E973E1FBA8361B1112B7D14ED75A1CB22EC528B84

Non-executed Functions

Function 00007FF848E98995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF848E98AC2
K_^, xrefs: 00007FF848E98A2A
K_^, xrefs: 00007FF848E98A6A
K_^, xrefs: 00007FF848E989C9

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 9657f5d62f7e8d51cbee22d07cf8d7ee7d7cb8d80cc2004a7d7f80f4e8be7ea3
Instruction ID: e65cfbd0984a17d4e311babb96b0077f2c10840ae1949de564d22d3f6d4817cb
Opcode Fuzzy Hash: 9657f5d62f7e8d51cbee22d07cf8d7ee7d7cb8d80cc2004a7d7f80f4e8be7ea3
Instruction Fuzzy Hash: 1A41F9B3D0EAD25FE347666958550D53FE1FF522A8F0D01F3C488CB0A3EEA9580B9615

Function 00007FF848E98BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K_^F, xrefs: 00007FF848E98C7A
K_^4, xrefs: 00007FF848E98BFA
K_^7, xrefs: 00007FF848E98C12
K_^J, xrefs: 00007FF848E98C8A

Memory Dump Source

Source File: 00000008.00000002.2398927674.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID: K_^4$K_^7$K_^F$K_^J
API String ID: 0-377281160
Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
Instruction ID: d3f1750ee75f7e69ac9381207b3b7f432e9e9df79eb93ded9a563d1f1caef288
Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
Instruction Fuzzy Hash: 33213BF76499257ED7097B7CF8045E93B90EF982B474952B3D098CB013EA1470878ED4

Analysis Process: powershell.exePID: 5580, Parent PID: 2148COMMON

Executed Functions

Function 00007FF848F66605 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2615065583.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4136fd2be822d657ce8d6db18eaffdd5d450bf0cb11207caae9a05103982ae03
Instruction ID: 19137aed1190b53bb552536d1e26c92e2ac1cdb5a0cdc7433b689cb298a725f9
Opcode Fuzzy Hash: 4136fd2be822d657ce8d6db18eaffdd5d450bf0cb11207caae9a05103982ae03
Instruction Fuzzy Hash: 5AD13531D0EA8A5FE79AAB3858145B57BA0EF16390F1802FAD44DDB0D3EE18A806C355

Function 00007FF848F64073 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2615065583.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd98d92a627c0532b0d0eac2e42c04fca81ea4782b1da812b96f1e4e8ca7f784
Instruction ID: ae331e0dab7842f42eb219b5b55f3c475ce4da5070cb7edd6d946c3bf9f48b44
Opcode Fuzzy Hash: fd98d92a627c0532b0d0eac2e42c04fca81ea4782b1da812b96f1e4e8ca7f784
Instruction Fuzzy Hash: C6510732E0DA4A4FE79ABB1C54116B477E2FF65250F1812BAC00ED71D7DF14E8068349

Function 00007FF848F64370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2615065583.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5839ff99448511a8892d43d13d881a5e826af425f3e16980fb32c096c535eeb
Instruction ID: 1f6ec12425c429733ace4cec7372a218f69e04f720cefcba597465d18afc09d4
Opcode Fuzzy Hash: c5839ff99448511a8892d43d13d881a5e826af425f3e16980fb32c096c535eeb
Instruction Fuzzy Hash: 65415932E0DA4A4FE7A9FB2C64026B477E1EF55360F0812BAC04DD71C3EB18AC128395

Function 00007FF848E99780 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2613991794.00007FF848E95000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E95000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848e95000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aadd138007581f0ecdc18499809bbb5dda13ea4d53bfb8013f786fe2d14bda7
Instruction ID: 896cc21003c78503af67265987520adf38f27e6419b0e02ac58a3a1dff2114ba
Opcode Fuzzy Hash: 8aadd138007581f0ecdc18499809bbb5dda13ea4d53bfb8013f786fe2d14bda7
Instruction Fuzzy Hash: 2631073191CB884FDB189B5C9C0A6B97BE0FBA9311F00426FE449D3252DA70A855CBC2

Function 00007FF848D7EAA8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2612777358.00007FF848D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848d7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2334d18fdf5e8edfdfc63f1dede2704395d32b428019ea6640b58fa6f209041
Instruction ID: e4d6e7e8e7b7f6f250be2ac451dbef6f555a135eec4447cd43c9bdddbb1c9c38
Opcode Fuzzy Hash: e2334d18fdf5e8edfdfc63f1dede2704395d32b428019ea6640b58fa6f209041
Instruction Fuzzy Hash: 9F41047180EBC44FD7569B399855A523FF0EF57360B1506DFE088CB1A3D624A84AC7A2

Function 00007FF848E9A49C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2613991794.00007FF848E95000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E95000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848e95000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327bde5237c4fde3a0d23a718b4e88203117c8c8015446d99da3f80010bb1d1b
Instruction ID: c556dff7cb6a167892dcc1f97de98d63759ddbc606af86dd5f70d537c554d4f5
Opcode Fuzzy Hash: 327bde5237c4fde3a0d23a718b4e88203117c8c8015446d99da3f80010bb1d1b
Instruction Fuzzy Hash: 3D210A3190C74C4FDB59DFAC984A7E97FE0EBA6321F04416FD048C3152D674A45ACB91

Function 00007FF848F640BF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2615065583.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d5293e1b6ae046e16064d43c32c5503423b78d83cdc11e5f185d83969be43e
Instruction ID: f4e8071a000301001a8b40b2f8e296fe0258452f73ee38834f59a1b0959d9c02
Opcode Fuzzy Hash: b2d5293e1b6ae046e16064d43c32c5503423b78d83cdc11e5f185d83969be43e
Instruction Fuzzy Hash: 7621D232E0D9874FE7AAFB18945017426D2FF74290F4912BAD01DD71E2CF18EC068349

Function 00007FF848F643BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2615065583.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4fd2359850c009da7d515fc0eeebfccdd27ab55284dab155a674e35b108a6f
Instruction ID: 52198f6264d2cbd255b4d4db81b7579d3cce7d2ae7d3ac3b0f3227a350cc9864
Opcode Fuzzy Hash: bb4fd2359850c009da7d515fc0eeebfccdd27ab55284dab155a674e35b108a6f
Instruction Fuzzy Hash: EC113232D0E9864FE7A5FB2890525B437E0FF24360F0812B6D01DD71D2DB18AC228389

Function 00007FF848E933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2613991794.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 29c1cfa6bac51b81d075f13f06edf054ad2643bd55ff8ec3c5d015a1cc12a693
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 6C01677115CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45

Function 00007FF848E9A0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2613991794.00007FF848E95000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E95000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848e95000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c3d7b8fb4e1acb4242e931df9405ed163b6adc703f189e44989ed44eac7c35
Instruction ID: 37b03e93bebf895b5746f2b0c81bc7fa0892cf948c90e85eace078b6cc78fc41
Opcode Fuzzy Hash: 37c3d7b8fb4e1acb4242e931df9405ed163b6adc703f189e44989ed44eac7c35
Instruction Fuzzy Hash: E5F0F67694DA8C4FDB85EF3C98690D47F90FF65205B0402ABE408C7062EB709848C781

Non-executed Functions

Function 00007FF848E98BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^8, xrefs: 00007FF848E98BF2
K_^Q, xrefs: 00007FF848E98C8A
K_^<, xrefs: 00007FF848E98C12
K_^?, xrefs: 00007FF848E98C2A
K_^J, xrefs: 00007FF848E98C62
K_^N, xrefs: 00007FF848E98C72
K_^Y, xrefs: 00007FF848E98CBA
K_^K, xrefs: 00007FF848E98C6A

Memory Dump Source

Source File: 0000000A.00000002.2613991794.00007FF848E95000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E95000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff848e95000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: c2d250409876c8e8bc46566e03b8057a7c6a6753198608625f1c07d881f54f57
Instruction ID: 444569eb3d96cba44d8e31ac74dbc91df50d930669615525f43429644e5a31e4
Opcode Fuzzy Hash: c2d250409876c8e8bc46566e03b8057a7c6a6753198608625f1c07d881f54f57
Instruction Fuzzy Hash: D621F6F3A889157ECA0A36BDF8415E87791EF543B874952F3E018DF113DE24A48B8A94

Analysis Process: RuntimeBrokerPID: 5668, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E51CA5 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a6c90ef39090b3573d099548d36330e0cdf33bad1c28c115a4393cae95485d
Instruction ID: 6f854f1f8ce30c5d6c70a6a4774046329191d0ebe175c6366ec6deecc44315d4
Opcode Fuzzy Hash: c6a6c90ef39090b3573d099548d36330e0cdf33bad1c28c115a4393cae95485d
Instruction Fuzzy Hash: 67512460A1E6C95FD786A7785824276BFE1EF57259F0800FBE0C9C71D7DE180806C346

Function 00007FF848E50788 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

<P_^, xrefs: 00007FF848E50801

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: <P_^
API String ID: 0-1190497245
Opcode ID: 9bff9a3e23048e600b9e8e3d0184d94641107cad7dca6905001d89058e6245ca
Instruction ID: 1b0302d9d05d79ab45155b374213188a73738d7977885c6e429070546ac1285c
Opcode Fuzzy Hash: 9bff9a3e23048e600b9e8e3d0184d94641107cad7dca6905001d89058e6245ca
Instruction Fuzzy Hash: 015129B294D65A6FD304FB7CA4925F97BE0FF45250F4840BAD08CC7297DE2428058BA9

Function 00007FF848E50E05 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080c94c42b1153867b040e460e91bba853f3647c52f52754a5c2461c67a19985
Instruction ID: 1094dbc01717075caba17700d71de4b48f6c02c6dd66cc2f4025010daf174996
Opcode Fuzzy Hash: 080c94c42b1153867b040e460e91bba853f3647c52f52754a5c2461c67a19985
Instruction Fuzzy Hash: 8A412CB2D0DA8A5FE749FBBC98610F9BBA1FF40290F4900B7D049CB193DE2858068355

Function 00007FF848E50E60 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a485dba6f439aedf122f7d407f9b442546400c08717aaa8bc0dd2417fadb4c
Instruction ID: 63d7a2fea986484951f5840185825bc556c713462fa88bb17e195e628146c7bd
Opcode Fuzzy Hash: 98a485dba6f439aedf122f7d407f9b442546400c08717aaa8bc0dd2417fadb4c
Instruction Fuzzy Hash: CA21C461D0DA8A4FEB49FBA888611F9BBB2FF45380F4900BAC049C72D3DE385D059745

Function 00007FF848E512C9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049942066b401c8259314d9e3019b4b32b92fdf2a1f08e59fa056d063b937da9
Instruction ID: 7aeeb83f5a0f3e32801e5e6a0727aab4f9da281f10612bc0549bd85197430d90
Opcode Fuzzy Hash: 049942066b401c8259314d9e3019b4b32b92fdf2a1f08e59fa056d063b937da9
Instruction Fuzzy Hash: 21715070A1DA5A5FEB98FBB894696BD76E2FF88340F40047DE40EC32D6DE3958018754

Function 00007FF848E50C3E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9eec0e6dd96eedf3fafcc5087c8d540a28adbf7973b77cc8af998b16454f6e
Instruction ID: f66a18551f8e98a0c99d71d15382face7a5ad292b2aeda7ae1a9640f723fa2f4
Opcode Fuzzy Hash: aa9eec0e6dd96eedf3fafcc5087c8d540a28adbf7973b77cc8af998b16454f6e
Instruction Fuzzy Hash: 11514831A0EA865FE396B77C98652B97BE1EF87650B0900FBD48CC7197DD1C5C428352

Function 00007FF848E50538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4338a2d103e1528b6c0136c4eaff059bbf76eeb0bcf4baf53c1fd7a35c13f422
Instruction ID: 67d7f398563c653b863b64b990efefc094ff15b188b9168514df7c5af79a8cb5
Opcode Fuzzy Hash: 4338a2d103e1528b6c0136c4eaff059bbf76eeb0bcf4baf53c1fd7a35c13f422
Instruction Fuzzy Hash: 1A31E121B1D9495FE798FB3C945A379B6C2EB98795F0401BEE00EC32D7DE68AC028345

Function 00007FF848E50AD1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15633033aed585765a271c84c2b6ca218ef577f585216c48fa45696e2e82d76
Instruction ID: dacc050642cf997e2806d54de244f1c8801dd3d2a11bcb5eff14110144a736d2
Opcode Fuzzy Hash: c15633033aed585765a271c84c2b6ca218ef577f585216c48fa45696e2e82d76
Instruction Fuzzy Hash: B531F3A1F1C9495FE788BBAC585A3BDB7D1FF98651F084176E40DC3282DE2898018752

Function 00007FF848E50985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dc8b8792e123d026fc99fc42cb40179405bc6da494c81078e482d171f98f6e
Instruction ID: bb57c90caf71a6b4170ad2f734505eea8a987bbf033f810bf956f4556f310992
Opcode Fuzzy Hash: 14dc8b8792e123d026fc99fc42cb40179405bc6da494c81078e482d171f98f6e
Instruction Fuzzy Hash: 1631AF70E18A0A9FEB48FBB8D4556FDB7E2FF88340F544579E009C3286DE38A8018B54

Function 00007FF848E50888 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177f035d25d74b4db0616087f13b09fb40749824c74406dd4609415ab393ca32
Instruction ID: 4ed61bb461e086a3c25b44ef6cd5989327935310b47d4411bb6312a1d9a8e18e
Opcode Fuzzy Hash: 177f035d25d74b4db0616087f13b09fb40749824c74406dd4609415ab393ca32
Instruction Fuzzy Hash: 5421A171A59A0F5FD348EB7C90965F97FE2FF88200F8445ACE40AC739ADE3569008B64

Function 00007FF848E51E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2698314757.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848e50000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447c11ff68dcba47e3dac7b3b2dd39de2aa66c24a1ba8987dcea5931310f69b8
Instruction ID: 2ca66f895fbdbb46d9bc7200bc9b682653f2ec9361667d88de0f6997ad026b00
Opcode Fuzzy Hash: 447c11ff68dcba47e3dac7b3b2dd39de2aa66c24a1ba8987dcea5931310f69b8
Instruction Fuzzy Hash: B9012654D0D7C54FE751B7385C15071BFE0EF92284F0804EFE888C6097DE28AA448396

Analysis Process: RuntimeBrokerPID: 5416, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E81CA5 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efc6b5bdba5f1c93e09ac911ed871cdd0d9c4e6d3d5f566cb73fe41c60b607f
Instruction ID: ddfcb68d047c7e9576bebe9706c8993ea77178995b2041b110f2a29dc2cde6a2
Opcode Fuzzy Hash: 8efc6b5bdba5f1c93e09ac911ed871cdd0d9c4e6d3d5f566cb73fe41c60b607f
Instruction Fuzzy Hash: 8D512320A1E6C95FD786A738582427ABFE1EF97256F0800FBE0C9C71D3DE281806C306

Function 00007FF848E80788 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

<M_^, xrefs: 00007FF848E80801

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: <M_^
API String ID: 0-1376500734
Opcode ID: b1986b5c8d9c193dd34d369734b62e52a49ff0ee3fce5238fff9f513ffbc8187
Instruction ID: 259233f991c5762a4d02b6bf2ee610aad544d287fff1a11edb727a44dd2c82d8
Opcode Fuzzy Hash: b1986b5c8d9c193dd34d369734b62e52a49ff0ee3fce5238fff9f513ffbc8187
Instruction Fuzzy Hash: 9851497194999DAFE349F72894960F83BE0FF45254F4882F5D088C7283EF3924008BA9

Function 00007FF848E80E05 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa26a63c700b9fee541a1384b378410dda1dcdd71f1aac27fd6d40cc62ffcc1d
Instruction ID: 2ff22113d789e0b5748c9b57abc527029d738f58664ebae60bbb2523c9eda642
Opcode Fuzzy Hash: aa26a63c700b9fee541a1384b378410dda1dcdd71f1aac27fd6d40cc62ffcc1d
Instruction Fuzzy Hash: E441E262D0DA8E5FE749FA6C98650FE7BA1FF81291F8801B6C089C7193DE3858068354

Function 00007FF848E80E60 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1b43c7a7462a746c297c0121a117642577a38e3e3bdb0190d1b34ba3f53bd9
Instruction ID: f2cdec0a6741d691c750546d03cf80a4a2ecda89b34d8b2c9e925dd778231aa8
Opcode Fuzzy Hash: 4c1b43c7a7462a746c297c0121a117642577a38e3e3bdb0190d1b34ba3f53bd9
Instruction Fuzzy Hash: 23217F21D1DA8A5FEB49EB6888611FE7BB1FF45380F8800B6C04AD72D3DE3858058759

Function 00007FF848E812C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9c4c05c6fa5ad06aaf04678bd07a0eda32369684cca5fd843b0cd9c669e99a
Instruction ID: 16f8a1ff0b7b0d2c6499f7bad785fddd71f9e17008277f031387959e6a26aed0
Opcode Fuzzy Hash: bc9c4c05c6fa5ad06aaf04678bd07a0eda32369684cca5fd843b0cd9c669e99a
Instruction Fuzzy Hash: DC716130A2DA999FEB98F77894696FD36E2FF89344F800578E04EC32D6DE3958018754

Function 00007FF848E80C3E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1891d0cda82fd81446700a30673fe87d9ed5c8903cd927ba03f1d3476507c96a
Instruction ID: 0cadcc9d2db9d90acae064ab82927f924888f65c6970e26118731590862bb8d1
Opcode Fuzzy Hash: 1891d0cda82fd81446700a30673fe87d9ed5c8903cd927ba03f1d3476507c96a
Instruction Fuzzy Hash: F8515821A0EA8A5FE796B73C98552B97BE1EF87650B0901FBD48CC7193DD2C5C028762

Function 00007FF848E80538 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820e16f93df202c1e8966d731181cc642378e9298b9281e8f38303765c182dd8
Instruction ID: 76e44225b3e8c032d64d2f6fe1f86b2ca3e815ea2e803789d15b9ee607e7974f
Opcode Fuzzy Hash: 820e16f93df202c1e8966d731181cc642378e9298b9281e8f38303765c182dd8
Instruction Fuzzy Hash: EC31E120B1D9495FE798FB3C945A379B6C2EB98795F4405BEE00EC32D7DE28AC028745

Function 00007FF848E80AD1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347cf90261b7768978a30d2285b30a66f9075b739e113f6b3ee9c5e691c63359
Instruction ID: 4053071072ac7d7b333a77981b5cfaacaedc8a20031ffb30e05b313403b9698e
Opcode Fuzzy Hash: 347cf90261b7768978a30d2285b30a66f9075b739e113f6b3ee9c5e691c63359
Instruction Fuzzy Hash: 6C31E061F1DD495FE788BB6C585A2BDB7D2FF98651F0442B6E40CC3292DE3898018B61

Function 00007FF848E80985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca1724f5b771c421cb71813bee81c1921f8a1a5a4186d6efbb45e10b0632709
Instruction ID: e07897f304cbe11f715777bbb12edcd473e8feecd70235278c66d408f729f6a7
Opcode Fuzzy Hash: bca1724f5b771c421cb71813bee81c1921f8a1a5a4186d6efbb45e10b0632709
Instruction Fuzzy Hash: 9D318F30A1994E9FEB88FB68C8556FDB7E1FF98340F5441B9D009D3286DE39A8418B64

Function 00007FF848E80888 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b583fcfc662f2e0e7d4ab35a04ea3353f916abce9a9e842d029c4b816e7c5e7
Instruction ID: 6e9d7384b9274b06a64119d48b72b28d9e1db72a065faafad606f1d8afc15c0a
Opcode Fuzzy Hash: 9b583fcfc662f2e0e7d4ab35a04ea3353f916abce9a9e842d029c4b816e7c5e7
Instruction Fuzzy Hash: 9B21A73061598D9FE798FB18809A5F97BE1FF88204FD4C2E4D489D3386DE39680087A5

Function 00007FF848E81E71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2745381852.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbbad7a8230e6d62efe0976f2e231eac2e966db1ddb01531907e0a53b7f8f74
Instruction ID: 574f2e854f154ed7de1cc50fd86eee89cadee3d9e838779ecc7f95c93bc5aafa
Opcode Fuzzy Hash: 3fbbad7a8230e6d62efe0976f2e231eac2e966db1ddb01531907e0a53b7f8f74
Instruction Fuzzy Hash: 7D012614D0D7C48FE742B7384865079BFE0EF92280F8804EFE888D7097EA29A9448396

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A39tzaySzX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tdgr3hb.0fn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5de3i03c.xsb.psm1

Windows Analysis Report
A39tzaySzX.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre